Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Local Disaster Recovery Solution

jiaminyun
Path Finder
‎10-15-2024 07:19 PM
Hello, we urgently need to obtain a Splunk local disaster recovery solution and hope to receive a best practice explanation. The existing Splunk consists of 3 search heads, 1 deployer, 1 master node, 1 DMC, 3 indexes, and 2 heavy forwarders. In this architecture, the search replication factors are all 2 and there is stock data available. The demand for local disaster recovery is: The host room where the existing data center's Xinchuang SIEM system is located has been shut down, and the data in the disaster recovery room can be queried normally. The closure of the newly built disaster recovery host room will not affect the use of the existing data center's SIEM system. RPO 0 cannot lose data, RTO can recover within 6 hours.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-16-2024 05:09 AM

The Splunk Validated Architectures manual should help.  You may be interested in the M3/M13 or M4/M14 models.  See https://docs.splunk.com/Documentation/SVA/current/Architectures/M4M14

---
If this reply helps you, Karma would be appreciated.
Reply

jiaminyun
Path Finder
‎10-29-2024 11:42 PM
After testing UF output cloning, it was found that it is impossible to achieve true same data distribution across multiple clusters! Is there any good solution for dual writing? most urgent!
0 Karma
Reply

jiaminyun
Path Finder
‎10-22-2024 03:41 AM

Thank you for your response, We have achieved the final same city disaster recovery architecture by combining M3/M13 and UF clone dual writing!

Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-16-2024 05:56 AM

Well, it's actually _not_ a disaster recovery. It's a HA solution with some assumed level of fault tolerance.

@jiaminyunThere is no such thing as "0 RPO" unless you do make some boundary conditions and prepare accordingly. A HA infrastructure like the one from SVAs can protect you in case of some disasters but will not protect you from other ones (like misconfiguration or deliberate data destroying). If you're OK with that - be my guest. Just be aware of it.

RTO actually depends on your equipment, storage and resources (including personnel) you can allocate to the recovery task.

Reply

jiaminyun
Path Finder
‎10-22-2024 03:43 AM
Thank you for your response, We have achieved the final same city disaster recovery architecture by combining M3/M13 and UF clone dual writing!
0 Karma
Reply

jiaminyun
Path Finder
‎10-29-2024 11:40 PM
After testing UF output cloning, it was found that it is impossible to achieve true same data distribution across multiple clusters! Is there any good solution for dual writing? most urgent!
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-30-2024 12:17 AM

If you mean sending to two output groups from a single forwarder - that works until one of them gets blocked. Then both stop. It's by design.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top