Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I configure indexes to replicate data with each other in a Splunk deployment?

rashid47010
Communicator
‎04-14-2018 10:46 AM

Hi everyone
I am planning to create a Splunk lab.
I want
2 Forwarders- who will receive the logs from multiple sources(windows, UNIX, log files, etc)
2 indexers who are you replicating data with each other

One search head.

For forwards high availability I configure both indexers IP’s in output.conf file in both Forwarders.

Q-Now how can I configure indexes to replicate data with each other?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-17-2018 08:43 AM

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-17-2018 08:43 AM

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-17-2018 04:41 AM

Hi

Configure your SH to search thru both indexers.

Thats will be the best shot for dev . environment

Reply
Solved! Jump to solution

rashid47010
Communicator
‎05-02-2018 01:40 AM

how can I accept your answer

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎05-02-2018 01:37 AM

@ssadanala1
thanks.
it is helpful to understand basic concept.

0 Karma
Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-17-2018 04:40 AM

Hi,

You can configure your SH to search through both indexers .

That will be the best shot in this scenario

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-14-2018 11:16 PM

you can configure indexer clustering. Refer below docs:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Aboutclusters

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎04-15-2018 03:06 AM

hi
thanks for your kind reply.
I believe that I need another server as index cluster.
I am limited with resources.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-16-2018 02:00 PM

Don't cluster your indexers until you have 3 indexers and 1 cluster master available

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-15-2018 09:30 PM

This is not best practice, but you can make your search head as cluster master and then configure indexer clustering, as you have limited resources.

0 Karma
Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎04-16-2018 09:19 AM

More than "not best practice", using a search head as the cluster master is not supported. See http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Systemrequirements#Required_Splunk_Enterpr...

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...