Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I configure indexes to replicate data with each other in a Splunk deployment?

rashid47010
Communicator
‎04-14-2018 10:46 AM

Hi everyone
I am planning to create a Splunk lab.
I want
2 Forwarders- who will receive the logs from multiple sources(windows, UNIX, log files, etc)
2 indexers who are you replicating data with each other

One search head.

For forwards high availability I configure both indexers IP’s in output.conf file in both Forwarders.

Q-Now how can I configure indexes to replicate data with each other?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-17-2018 08:43 AM

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-17-2018 08:43 AM

@rashid47010,
please refer to above comments by @SteveG and @skoelpin
for an indexer cluster to replicate data you will need at least 4 machines - 1 Cluster Master, 1 Search Head and 2 Indexers.

hope it helps

Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-17-2018 04:41 AM

Hi

Configure your SH to search thru both indexers.

Thats will be the best shot for dev . environment

Reply
Solved! Jump to solution

rashid47010
Communicator
‎05-02-2018 01:40 AM

how can I accept your answer

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎05-02-2018 01:37 AM

@ssadanala1
thanks.
it is helpful to understand basic concept.

0 Karma
Reply
Solved! Jump to solution

ssadanala1
Contributor
‎04-17-2018 04:40 AM

Hi,

You can configure your SH to search through both indexers .

That will be the best shot in this scenario

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-14-2018 11:16 PM

you can configure indexer clustering. Refer below docs:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Aboutclusters

0 Karma
Reply
Solved! Jump to solution

rashid47010
Communicator
‎04-15-2018 03:06 AM

hi
thanks for your kind reply.
I believe that I need another server as index cluster.
I am limited with resources.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-16-2018 02:00 PM

Don't cluster your indexers until you have 3 indexers and 1 cluster master available

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-15-2018 09:30 PM

This is not best practice, but you can make your search head as cluster master and then configure indexer clustering, as you have limited resources.

0 Karma
Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎04-16-2018 09:19 AM

More than "not best practice", using a search head as the cluster master is not supported. See http://docs.splunk.com/Documentation/Splunk/7.0.3/Indexer/Systemrequirements#Required_Splunk_Enterpr...

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...