Splunk Search

Multisite Index replication question

brent_weaver
Builder

I must admit I am struggling with wrapping my head around multisite replication... We operate in AWS and do build infrastructure in different AZ's, sometimes 2 and other times 3.What is the optimal settings for both each of these scinerios? I realize that some of them may consume much more storage but also be more avail...

Any help is much appreciated. Thanks!

Tags (1)
0 Karma

nickhills
Ultra Champion

With specific regards to AWS, your optimum configuration for availability is to have a site replica origin RF to match the AZ count.
(or as many AZs as you are using). This means your storage volume is AZ's x data, but it also means you can sustain a failure in at least 1 AZ if not more, with out loosing replica copies.

Your search factor will depend on where you users are searching from, and how critical is search in the immediate aftermath of AZ failure?
If Splunk is critical to you (of course it is) and you NEED Splunk searching immediately - you should set the SF to match the RF - i.e every Splunk instance has a full searchable copy.

With Multi-Site clusters - you can dictate that a remote site has a full searchable copy of the data - if I were to assume this other site was in a different region, keeping a full replica copy (or more than 1) would give you immediate search from a surviving region into the environment affected with whatever surviving Splunk infrastructure you have.

So, the answer really is it depends. If you have the space, and resource the higher your RF and SF the better - Multi site clusters allow you to par this down in remote sites for cost optimisation purposes, or to bring searchable copies 'closer' to where users are likely to be using the data.

If my comment helps, please give it a thumbs up!
0 Karma

gjanders
SplunkTrust
SplunkTrust

What's your goal? If you have 1 origin and 3 total the data is still available in the event 1 site is down.
If you make your searchable 1 origin and 2 total the data is searchable in the case 1 site is down...

If you want complete availability during a rolling restart of your cluster then you probably want a larger replication factor than 2 total...

0 Karma

p_gurav
Champion
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...