Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Site decommission- How originating data will be replicated?

giulioBalza
Path Finder
‎08-29-2022 07:31 AM

Hello,

i have to decommission a site due to datacenter dismission. Actually we have four sites with 10 indexers each.

The  site decommission is well documented, what is not clear is how the map of decommissioned site originating data is replicated to the remaining site, using:

site_mappings = site4:site2

originating data from site4 is replicated to site2, suppose there are 20TB of data, how many data every indexers on site2 receive ? Is there a sort af balancing (2TB each) or is not  predictable ?

Is also not clear if the replication bucket for the dismissed site are removed by Splunk when the cluster master is restarted or can be do manually.

I need this information to estimate if the actual size of file system is enough.

Thanks

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2022 10:02 AM

As I read the docs. the site_mappings setting does not actually replicate any data.  It merely tells the CM to use a different set of primary buckets.  So changing the site mappings will not affect your existing storage use.

However, as indexers are shut down in the decommissioned site, the CM may need to copy buckets to another site to maintain the site replication/search factor.  That *will* affect your storage use.  In the end, the 3 sites will need enough storage for site_replication_factor copies of all of your data.

---
If this reply helps you, Karma would be appreciated.
Reply

giulioBalza
Path Finder
‎08-30-2022 05:26 AM

Thanks Rick,

probably is due to be not English native language, but this part from https://docs.splunk.com/Documentation/Splunk/8.2.6/Indexer/Decommissionasite

To deal with this issue, you can map decommissioned sites to active sites. The bucket copies for which a decommissioned site is the origin site will then be replicated to the active site specified by the mapping, allowing the cluster to again meet its replication and search factors.

mention replication bucket from decommissioned to active site.

Regards

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2022 05:54 AM

Hi

I understand this as:

When you have set those parameters on CM and after restart and disabling maintenance mode it start fix up tasks where it ensure that if there are any bucket which don't fulfil SF+RF as previously some buckets have been on decommissioned site it start to fix/move those to site which "replace" that decommissioned site.

After that fixes has done you should remove old indexers on decommissioned site.  It's not said should you use "splunk offline --enforce-counts" or just "splunk offline" or even "splunk stop"?  Personally I take the 1st one and if there are issues with it then change to 2nd one. Maybe you should ask that from doc team (just write question on bottom of that page and they will reply to you.

After all nodes are removed then I additionally rebalance cluster data.

r. Ismo

Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2022 05:40 AM

Thanks for referring me to that document.  It confirms buckets are indeed copied when a site is mapped.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...