Splunk Enterprise

Single Node Splunk Cluster to Multi Node

kpoladasu
Explorer

Hi Team,

We have a single node splunk enterprise cluster. The version we are running is on 6.4.4. This single instance acts as master, search head and also indexer. The data got indexed in intervals from HDFS.

Now that data size is growing rapidly, we are planning to get away from single node mode to cluster mode.

Any pointers how could we proceed from a single host to multi mode by distributing all configurations , dashboards and legacy indexed data.

Thanks
Keerthi

Tags (1)
0 Karma

rewritex
Contributor

Types of Splunk Deployments
Index Clustering - Tons of info/links that branch into more info all over this page
Things I wish I knew then - This has some useful all around info
Decide on FIPS before starting the upgrade/migration

The toughest part for me was when I upgraded to an indexer cluster, I wasn't able to bring over the indexed data from the stand alone. There is a complex option of renaming bucket GUIDs to match the new GUIDs structure but I didn't go that route. I was able to search the standalone from the new SH but once I turned off the old Splunk I lost the data. Oh and create a deployment plan filling in all of your decision points and formula/values/IPs/IndexNames/Forwarders/etc, pass4symkey and other items .. this was invaluable.

Good Luck!

0 Karma

gjanders
SplunkTrust
SplunkTrust

You would effectively be going from a Splunk instance as serach head / indexer to a dedicated search head and a dedicated indexer, you could also go to a search head cluster or indexer cluster...depending on how much growth you expect you might want to build an indexer cluster...

You should probably read Deploy a distributed search environment .

I can see two obvious choices:

  • Make the current search head/indexer the new indexer, and build a separate search head
  • Make the current search head/indexer the new search head, and build a separate indexer(s)

If you make the existing search head / indexer the new indexer, no problems with attempting to move data around, but you would need to attempt to migrate all the search related configuration.

Migrate from a standalone search head to a search head cluster might help here, it explains migrating to a search head cluster however it does tell you which files you need to find, and therefore you could find/move them to your new search head.

Alternatively if you keep the current search head as the search head, you have to migrate the indexer data as per Migrate a Splunk Enterprise instance

Personally I'd build the new indexer and move the data, but you will need a development environment to test this in, it's not the easist thing to do...

adonio
Ultra Champion

Hi there,
Scaling splunk from a single instance to distributed OR clustered has some landmines. highly recommend to talk to your Splunk Sales Engineer.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@kpoladasu - Do you have an indexer cluster or search head cluster? I just want to make sure your post is tagged appropriately.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...