Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What are the steps to adding an additional peer node/Indexer to a stand alone instance?

nwilliams68
New Member
‎08-30-2022 07:49 AM

We currently have our Splunk Enterprise instance all running on a stand-alone vm but are looking to add an additional vm for some sort of replication sort of a hot cold standby option or whatever the best practice may be.  Has anyone had experience doing this and what were your steps? 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2022 12:10 PM

Splunk doesn't support standby systems (Splunk 9 introduced a standby Cluster Manager, but doesn't help here).

The Best Practice for replicating data is to use an Indexer Cluster.  An indexer cluster has two more indexers which automatically copy index buckets among themselves.  You'll also need an instance to serve as the Cluster Manager to oversee the indexer cluster and a License Manager.

Going from a standalone instance to a cluster is not trivial - at least if you want to retain your data.  Single-instance buckets have to be converted into clustered buckets (preferably multi-site to allow for future growth).  A Professional Services engagement is recommended.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-31-2022 12:22 AM

Hi

as @richgalloway said the easiest way to do it, is contacting to Splunk PS. If you want to try it by yourself then here is instructions how to convert single peer to indexer cluster https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Migratenon-clusteredindexerstoaclustered.... There is also instruction how to go multisite cluster. You can do multisite cluster also with one site if you don't need it now but maybe later.

Before you start to migrate current one, you should consider is it better to just create a new indexer cluster from scratch and then add both old peer and new cluster as search peers to your SH? Especially if your current search peer has short data retention time this could be a reasonable option.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...