We have a 3-site cluster with one site being primary, the other two being for HA/DR. So all primary data goes to site 1, and one copy of each bucket is replicated to sites 2 and 3.
We're migrating to new hardware, and keeping the old indexers online/letting existing data age out isn't an option. In our future configuration, we want a 2-site cluster with both sites "active" (i.e., receiving primary data and replicating to the other site).
What's the best way to go about this? Should we just move the primary buckets from site 1 into the new cluster and let Splunk replicate across the two sites? Should we decommission one of our existing sites, so there's site parity between the two environments before migrating data?
... View more