I must admit I am struggling with wrapping my head around multisite replication... We operate in AWS and do build infrastructure in different AZ's, sometimes 2 and other times 3.What is the optimal settings for both each of these scinerios? I realize that some of them may consume much more storage but also be more avail...
Any help is much appreciated. Thanks!
With specific regards to AWS, your optimum configuration for availability is to have a site replica origin RF to match the AZ count.
(or as many AZs as you are using). This means your storage volume is AZ's x data, but it also means you can sustain a failure in at least 1 AZ if not more, with out loosing replica copies.
Your search factor will depend on where you users are searching from, and how critical is search in the immediate aftermath of AZ failure?
If Splunk is critical to you (of course it is) and you NEED Splunk searching immediately - you should set the SF to match the RF - i.e every Splunk instance has a full searchable copy.
With Multi-Site clusters - you can dictate that a remote site has a full searchable copy of the data - if I were to assume this other site was in a different region, keeping a full replica copy (or more than 1) would give you immediate search from a surviving region into the environment affected with whatever surviving Splunk infrastructure you have.
So, the answer really is it depends. If you have the space, and resource the higher your RF and SF the better - Multi site clusters allow you to par this down in remote sites for cost optimisation purposes, or to bring searchable copies 'closer' to where users are likely to be using the data.
What's your goal? If you have 1 origin and 3 total the data is still available in the event 1 site is down.
If you make your searchable 1 origin and 2 total the data is searchable in the case 1 site is down...
If you want complete availability during a rolling restart of your cluster then you probably want a larger replication factor than 2 total...
Hi,
This document may help you :
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor