Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multi-Site Cluster: What would I configure for replication and search factor with 1 peer at each site?

Splunker
Communicator
‎08-31-2014 01:43 AM

Hi all,

Am planning a multi-site (2 datacenters) installation of Splunk Enterprise v6.1.3. It will include Enterprise Security if that changes anything.

There will be 1 SH per-DC, 1 IDXer per-DC, 1 HFWer per-DC (configured with a RF=2 SF=2)

Both SHs will be configured for distributed-search across the indexers at each site.

Will there be any issues having one side of the deployment in another DC with a higher-RTT than the local indexer?

I'm wondering whether to bother with using a 'multi-site' cluster mainly to make use of the search-affinity feature, but what would i configure for the site_replication_factor and site_search_factor when there is only 1 peer at each site?

Hoping someone could help clarify. I'm a little unclear on this..

Thanks.

Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎09-09-2014 12:12 PM

Yes, you can have one peer / site. The configuration to use is

site_replication_factor = origin:1,total:2

site_search_factor = origin:1,total:2

This states that keep 1 copy of the data in the origin site and another copy at some other site

Reply

Splunker
Communicator
‎09-20-2014 03:43 AM

I get this error with the above factors on my master-node in site1:

09-20-2014 20:41:02.611 +1000 ERROR ClusteringMgr - Failure to load cluster config (server.conf) Error = site_replication_factor={ origin:1, total:2 } is less than replication_factor=3.

I'm thinking i do need a minimum of 3 peers (or more) for multi-site?

Thanks.

0 Karma
Reply

hettervik
Builder
‎09-25-2015 01:58 AM

The way I understand it, when the number of peers in any site is lower than the default replication_factor and search_factor values, 3 and 2 respectively, you'll have to set replication_factor and search_factor.

From the answer above, add the two following lines:

replication_factor = 1
search_factor = 1

In addition to:

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

Reply

chrisfrigo
Path Finder
‎12-04-2017 08:29 PM

correct, needed

replication_factor = 1
search_factor = 1

in addition to

site_replication_factor = origin:1,total:2
site_search_factor = origin:1,total:2

0 Karma
Reply

dxu_splunk
Splunk Employee
Splunk Employee
‎09-20-2014 08:24 AM

set replication_factor=1 and search_factor=1

see http://docs.splunk.com/Documentation/Splunk/6.1/Indexer/Migratetomultisite#How_the_cluster_migrates_...

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...