Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multisite Index replication question

brent_weaver
Builder
‎01-21-2018 06:30 PM

I must admit I am struggling with wrapping my head around multisite replication... We operate in AWS and do build infrastructure in different AZ's, sometimes 2 and other times 3.What is the optimal settings for both each of these scinerios? I realize that some of them may consume much more storage but also be more avail...

Any help is much appreciated. Thanks!

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎01-22-2018 02:00 AM

With specific regards to AWS, your optimum configuration for availability is to have a site replica origin RF to match the AZ count.
(or as many AZs as you are using). This means your storage volume is AZ's x data, but it also means you can sustain a failure in at least 1 AZ if not more, with out loosing replica copies.

Your search factor will depend on where you users are searching from, and how critical is search in the immediate aftermath of AZ failure?
If Splunk is critical to you (of course it is) and you NEED Splunk searching immediately - you should set the SF to match the RF - i.e every Splunk instance has a full searchable copy.

With Multi-Site clusters - you can dictate that a remote site has a full searchable copy of the data - if I were to assume this other site was in a different region, keeping a full replica copy (or more than 1) would give you immediate search from a surviving region into the environment affected with whatever surviving Splunk infrastructure you have.

So, the answer really is it depends. If you have the space, and resource the higher your RF and SF the better - Multi site clusters allow you to par this down in remote sites for cost optimisation purposes, or to bring searchable copies 'closer' to where users are likely to be using the data.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎01-21-2018 11:55 PM

What's your goal? If you have 1 origin and 3 total the data is still available in the event 1 site is down.
If you make your searchable 1 origin and 2 total the data is searchable in the case 1 site is down...

If you want complete availability during a rolling restart of your cluster then you probably want a larger replication factor than 2 total...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

p_gurav
Champion
‎01-21-2018 09:39 PM

Hi,

This document may help you :
http://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Sitereplicationfactor

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...