I inherited a splunk mesh of search-heads, deployment server, index cluster, etc. I am trying to figure out all this splunk stuff, but ran into an issue that I am not sure if it ignores best practice...
See more...
I inherited a splunk mesh of search-heads, deployment server, index cluster, etc. I am trying to figure out all this splunk stuff, but ran into an issue that I am not sure if it ignores best practice, poor judgement, or as intended.
We have 8 main indexers that do what indexers do, all clustered as peer nodes.
The deployment server is the master node and the search head for the cluster (which I don't understand that since we also have 5 main separate search heads).
We also have a disaster recovery DR site that has an indexer as a peer node part of the aforementioned cluster.
The cluster has a Replication factor 3, for # of copies of raw data.
The cluster has a Search factor of 2, for # of searchable copies.
Newer to cyber so forgive me if I don't understand right away or if I am missing something glaringly obvious. But does it makes sense to have the DR indexer be part of the cluster? If it does makes sense, then how do i ensure that the other 8 indexers send a copy of all their stuff to the DR indexer? I thought the master node just kind of juggles the incoming streams from the forwarders and balances the data across all the indexers. Also;
- should the deployment server double as a master node and search head for the index cluster?
- what is the difference between the 5 main separate search heads and the search head in the index cluster?
- (last one, i swear) would it make sense to have a search head cluster, or keep the search heads separate as they the 5 are accessed and used by different groups (networking, development, QA/testing, cybersecurity, and UBA (which we dont even have UBA servers active right now cuz I cannot get them to work or web ui to launch))