advice for syncing knowledge bundles over the WAN

tpsplunk · ‎09-13-2011

I have West Coast and an East Coast Datacenters with splunk indexers. my search users are in the West coast so my single search head is here on the West coast. I'd like to use mounted knowledge bundles but i'm not sure its practical to NFS mount my East Coast indexers to a West Coast NFS share. has anyone sync'd knowledge bundles across the country (or further)? should I try the NFS mount or should I do something like create a local NFS mount to East Coast and use a copy process (cron job and rsync job or SAN replication,etc) to copy the knowledge bundle from West Coast to East?

fbl_itcs · ‎10-29-2013

Hi,

I'm having the same issue here. Did you found a practical way to achive this?

Regards,
Felix

tpsplunk · ‎10-29-2013

No I never got it working. we recently hired someone that had some previous multi-geography splunk experience;we're in the middle of implementing recommended changes. He recommended to only have indexers in your local search environment. In your remote Datacenters configure your universal forwarders to send to locally installed heavy forwarders that do some index level work (transforms,etc). These forward the data on to the indexers in the local DC. obviously this isn't a one size fits all solution. it's probably best to engage splunk professional services to help with this kind of change.

advice for syncing knowledge bundles over the WAN

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability