Splunk Enterprise

Single Node Splunk Cluster to Multi Node

kpoladasu
Explorer

Hi Team,

We have a single node splunk enterprise cluster. The version we are running is on 6.4.4. This single instance acts as master, search head and also indexer. The data got indexed in intervals from HDFS.

Now that data size is growing rapidly, we are planning to get away from single node mode to cluster mode.

Any pointers how could we proceed from a single host to multi mode by distributing all configurations , dashboards and legacy indexed data.

Thanks
Keerthi

Tags (1)
0 Karma

rewritex
Contributor

Types of Splunk Deployments
Index Clustering - Tons of info/links that branch into more info all over this page
Things I wish I knew then - This has some useful all around info
Decide on FIPS before starting the upgrade/migration

The toughest part for me was when I upgraded to an indexer cluster, I wasn't able to bring over the indexed data from the stand alone. There is a complex option of renaming bucket GUIDs to match the new GUIDs structure but I didn't go that route. I was able to search the standalone from the new SH but once I turned off the old Splunk I lost the data. Oh and create a deployment plan filling in all of your decision points and formula/values/IPs/IndexNames/Forwarders/etc, pass4symkey and other items .. this was invaluable.

Good Luck!

0 Karma

gjanders
SplunkTrust
SplunkTrust

You would effectively be going from a Splunk instance as serach head / indexer to a dedicated search head and a dedicated indexer, you could also go to a search head cluster or indexer cluster...depending on how much growth you expect you might want to build an indexer cluster...

You should probably read Deploy a distributed search environment .

I can see two obvious choices:

  • Make the current search head/indexer the new indexer, and build a separate search head
  • Make the current search head/indexer the new search head, and build a separate indexer(s)

If you make the existing search head / indexer the new indexer, no problems with attempting to move data around, but you would need to attempt to migrate all the search related configuration.

Migrate from a standalone search head to a search head cluster might help here, it explains migrating to a search head cluster however it does tell you which files you need to find, and therefore you could find/move them to your new search head.

Alternatively if you keep the current search head as the search head, you have to migrate the indexer data as per Migrate a Splunk Enterprise instance

Personally I'd build the new indexer and move the data, but you will need a development environment to test this in, it's not the easist thing to do...

adonio
Ultra Champion

Hi there,
Scaling splunk from a single instance to distributed OR clustered has some landmines. highly recommend to talk to your Splunk Sales Engineer.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@kpoladasu - Do you have an indexer cluster or search head cluster? I just want to make sure your post is tagged appropriately.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...