Hello,
I have a Splunk Indexer cluster. The cluster consists of 3 peer nodes, with a replication factor of 3.
My issues are surrounding freezing off old log data.
I need to be able to archive off old logs. The documentation does not give a definitive way to do this with a clustered environment. I would think that since I have a replication factor of 3, each indexer has a complete copy of all the data, and therefore, I would only need to freeze data from one peer node.
If the observation in point 1 is correct, since all configuration should be the same between indexers in a cluster, I don't think I can use the native Splunk config for archiving log data (or can I)?
How have others handled this?
Does anyone have any advice on how to best proceed?
Cheers!
... View more