Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I configure indexes to replicate data with each other in a Splunk deployment?

rashid47010
Communicator
‎04-14-2018 10:46 AM

Hi everyone
I am planning to create a Splunk lab.
I want
2 Forwarders- who will receive the logs from multiple sources(windows, UNIX, log files, etc)
2 indexers who are you replicating data with each other

One search head.

For forwards high availability I configure both indexers IP’s in output.conf file in both Forwarders.

Q-Now how can I configure indexes to replicate data with each other?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-17-2018 08:43 AM

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-17-2018 08:43 AM

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

View solution in original post

Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-17-2018 04:41 AM

Hi

Configure your SH to search thru both indexers.

Thats will be the best shot for dev . environment

Reply
Solved! Jump to solution

rashid47010
Communicator
‎05-02-2018 01:40 AM

how can I accept your answer

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎05-02-2018 01:37 AM

@ssadanala1
thanks.
it is helpful to understand basic concept.

0 Karma
Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-17-2018 04:40 AM

Hi,

You can configure your SH to search through both indexers .

That will be the best shot in this scenario

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-14-2018 11:16 PM

you can configure indexer clustering. Refer below docs:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Aboutclusters

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎04-15-2018 03:06 AM

hi
thanks for your kind reply.
I believe that I need another server as index cluster.
I am limited with resources.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-16-2018 02:00 PM

Don't cluster your indexers until you have 3 indexers and 1 cluster master available

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-15-2018 09:30 PM

This is not best practice, but you can make your search head as cluster master and then configure indexer clustering, as you have limited resources.

0 Karma
Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎04-16-2018 09:19 AM

More than "not best practice", using a search head as the cluster master is not supported. See http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Systemrequirements#Required_Splunk_Enterpr...

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!