Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multi-Site Cluster: What would I configure for replication and search factor with 1 peer at each site?

Splunker
Communicator
‎08-31-2014 01:43 AM

Hi all,

Am planning a multi-site (2 datacenters) installation of Splunk Enterprise v6.1.3. It will include Enterprise Security if that changes anything.

There will be 1 SH per-DC, 1 IDXer per-DC, 1 HFWer per-DC (configured with a RF=2 SF=2)

Both SHs will be configured for distributed-search across the indexers at each site.

Will there be any issues having one side of the deployment in another DC with a higher-RTT than the local indexer?

I'm wondering whether to bother with using a 'multi-site' cluster mainly to make use of the search-affinity feature, but what would i configure for the site_replication_factor and site_search_factor when there is only 1 peer at each site?

Hoping someone could help clarify. I'm a little unclear on this..

Thanks.

Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎09-09-2014 12:12 PM

Yes, you can have one peer / site. The configuration to use is

site_replication_factor = origin:1,total:2

site_search_factor = origin:1,total:2

This states that keep 1 copy of the data in the origin site and another copy at some other site

Reply

Splunker
Communicator
‎09-20-2014 03:43 AM

I get this error with the above factors on my master-node in site1:

09-20-2014 20:41:02.611 +1000 ERROR ClusteringMgr - Failure to load cluster config (server.conf) Error = site_replication_factor={ origin:1, total:2 } is less than replication_factor=3.

I'm thinking i do need a minimum of 3 peers (or more) for multi-site?

Thanks.

0 Karma
Reply

hettervik
Builder
‎09-25-2015 01:58 AM

The way I understand it, when the number of peers in any site is lower than the default replication_factor and search_factor values, 3 and 2 respectively, you'll have to set replication_factor and search_factor.

From the answer above, add the two following lines:

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

Reply

chrisfrigo
Path Finder
‎12-04-2017 08:29 PM

correct, needed

replication_factor = 1
search_factor = 1

in addition to

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

0 Karma
Reply

dxu_splunk
Splunk Employee
Splunk Employee
‎09-20-2014 08:24 AM

set replication_factor=1 and search_factor=1

see http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Migratetomultisite#How_the_cluster_migrates_...

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...