Deployment Architecture

Sharing SAN volume for indexer cluster

pachinis
Engager

Dear Splunk experts, Dear community,
I am currently planning a change in our Splunk environment to increase reliablity and scalability. Currently running a single indexer with a number of Search Heads.
The goal is to set up the environment to continue operations in case of any single host outage. Would like to set up a cluster of two indexers for this.
We store indexes on mirrored SAN so that it will be operable if the main node is down - standby will have full copy of data.
It is possible to split volume on SAN to two equal parts, make partitions for the indexers and set Replication factor = 2. In that case we will have four copies of data stored (2 peers * 2 SAN nodes) and twice less volume for indexes.

Is there a better way to store data in our case without number of copies overkill and with no loss of capacity? Setting RF=1 is not an option because half of indexed data will be not available in case of an indexer peer loss.
Can we make two indexer peers work with the same SAN partition for writing and reading data?
Thank you!

Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @pachinis,
shared SAN isn't a good idea because in this way you surely haven't good performces in your Splunk.
The best approach is to use the the Splunk Indexers Cluster features so you have all the full data in two different servers, continously aligned between them that can answer to the search request in normal work and manage fail over when one of them is down.
If you want more copies of the data, eventually you can use more servers but not two mirrored servers.

Ciao.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @pachinis,
shared SAN isn't a good idea because in this way you surely haven't good performces in your Splunk.
The best approach is to use the the Splunk Indexers Cluster features so you have all the full data in two different servers, continously aligned between them that can answer to the search request in normal work and manage fail over when one of them is down.
If you want more copies of the data, eventually you can use more servers but not two mirrored servers.

Ciao.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @pachinis,

if this answer solves your need, please accept it for the other people of Community otherwise, please tell us how to help you.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

codebuilder
Influencer

Shared storage is not a good use case in your example, imvho.
Why not carve off two LUN's, present one to each of your two indexers, cluster them, and set your replication factor to 2?

----
An upvote would be appreciated and Accept Solution if it helps!
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...