Splunk Search

Multi-Site Cluster: What would I configure for replication and search factor with 1 peer at each site?

Splunker
Communicator

Hi all,

Am planning a multi-site (2 datacenters) installation of Splunk Enterprise v6.1.3. It will include Enterprise Security if that changes anything.

There will be 1 SH per-DC, 1 IDXer per-DC, 1 HFWer per-DC (configured with a RF=2 SF=2)

Both SHs will be configured for distributed-search across the indexers at each site.

Will there be any issues having one side of the deployment in another DC with a higher-RTT than the local indexer?

I'm wondering whether to bother with using a 'multi-site' cluster mainly to make use of the search-affinity feature, but what would i configure for the site_replication_factor and site_search_factor when there is only 1 peer at each site?

Hoping someone could help clarify. I'm a little unclear on this..

Thanks.

mahamed_splunk
Splunk Employee
Splunk Employee

Yes, you can have one peer / site. The configuration to use is

site_replication_factor = origin:1,total:2

site_search_factor = origin:1,total:2

This states that keep 1 copy of the data in the origin site and another copy at some other site

Splunker
Communicator

I get this error with the above factors on my master-node in site1:

09-20-2014 20:41:02.611 +1000 ERROR ClusteringMgr - Failure to load cluster config (server.conf) Error = site_replication_factor={ origin:1, total:2 } is less than replication_factor=3.

I'm thinking i do need a minimum of 3 peers (or more) for multi-site?

Thanks.

0 Karma

hettervik
Builder

The way I understand it, when the number of peers in any site is lower than the default replication_factor and search_factor values, 3 and 2 respectively, you'll have to set replication_factor and search_factor.

From the answer above, add the two following lines:

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

chrisfrigo
Path Finder

correct, needed

replication_factor = 1
search_factor = 1

in addition to

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

0 Karma

dxu_splunk
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...