It's not so much a question about how many indices you have (within reason). Also, it is the total bucket count in the cluster that contributes the most to any operational processes, like restarts and such. The real benefit of increasing your indexer count would be in being better able to distribute & parallelize the searches your users run against the data, which will likely improve search performance overall. Also, with only two peers in a cluster, the cluster can never return to valid and complete status when you lose a peer (assuming you have RF=2). You would certainly want to scale your existing cluster vs. creating a second cluster and dealing with the administrative overhead of managing a second cluster manager and ensuring the cluster configurations are identical. Going wider also gives you more replication targets that can receive replicas during/after any peer outages. For normal/planned restarts, consider putting the cluster into maintenance mode to prevent any fixup attempts (which will fail anyway given you only have two peers). Finally, there are some significant improvements implemented for the cluster manager in 8.1.x that greatly reduce the time it takes for peers and/or cluster manager to restart, so consider upgrading if you are not already on that version.
... View more
Hi Guys, I have: 1 x Search Node 1 x Master Node - 2 x Peer Nodes 1 x Deployment Node I've updated the master_uri & pass4SymmKey in the Search node and restarted it Splunk via the GUI, this worked fine and the license page is showing the new values. However, I am a bit reluctant to just change/restart the other nodes for fear of any bucket/replication issues. Am I ok to update the Master Node the same and perform a normal restart? Then update the Peer Nodes and perform a Rolling Restart? If not, what it is the best way to apply the conf changes and apply them? I did try searching the documentation but I got a bit lost. Thank you in advance.
... View more