Splunk Search

Multisite Index replication question


I must admit I am struggling with wrapping my head around multisite replication... We operate in AWS and do build infrastructure in different AZ's, sometimes 2 and other times 3.What is the optimal settings for both each of these scinerios? I realize that some of them may consume much more storage but also be more avail...

Any help is much appreciated. Thanks!

Tags (1)
0 Karma

Ultra Champion

With specific regards to AWS, your optimum configuration for availability is to have a site replica origin RF to match the AZ count.
(or as many AZs as you are using). This means your storage volume is AZ's x data, but it also means you can sustain a failure in at least 1 AZ if not more, with out loosing replica copies.

Your search factor will depend on where you users are searching from, and how critical is search in the immediate aftermath of AZ failure?
If Splunk is critical to you (of course it is) and you NEED Splunk searching immediately - you should set the SF to match the RF - i.e every Splunk instance has a full searchable copy.

With Multi-Site clusters - you can dictate that a remote site has a full searchable copy of the data - if I were to assume this other site was in a different region, keeping a full replica copy (or more than 1) would give you immediate search from a surviving region into the environment affected with whatever surviving Splunk infrastructure you have.

So, the answer really is it depends. If you have the space, and resource the higher your RF and SF the better - Multi site clusters allow you to par this down in remote sites for cost optimisation purposes, or to bring searchable copies 'closer' to where users are likely to be using the data.

If my comment helps, please give it a thumbs up!
0 Karma


What's your goal? If you have 1 origin and 3 total the data is still available in the event 1 site is down.
If you make your searchable 1 origin and 2 total the data is searchable in the case 1 site is down...

If you want complete availability during a rolling restart of your cluster then you probably want a larger replication factor than 2 total...

0 Karma

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...