Splunk Search

Mirror index data

mzupan
New Member

We currently upgraded our splunk server to 5 and have a seperate splunk search head at our office which is on a really fast hardware. We'd like to offload the searches to the office server so nothing is run on our current splunk server which is a slower VM.

So is there a way with clustering to mirror the index data to the office server and have searches only run off of there if people connect to it via the web?

Tags (2)
0 Karma

Vishal_Patel
Splunk Employee
Splunk Employee

Not sure I understand, but I'll give it a shot as well:

"nothing is run on our current splunk server which is a slower VM'

Are you basically just trying to decommission your VM in favor of bare metal server? If that is all you're doing, its probably best to do a manual migration where you copy your indexes over from your VM->office server rather than use clustering.

However, if your intention is for both your VM and office server to act as a clustered peers, and you're asking if you can some how make the office-server answer all the queries and fallback to VM upon failure, the answer is no. In 5.0 clustering, there all peers in a cluster are considered "equal", so the query load will be shared across both peers . Also note in this case, you will need at least one additional node to act as a cluster master.

0 Karma

Lucas_K
Motivator

I'm not sure if i totally understand your question but i'll give it ago.

My understanding of v5.0 only new data will be replicated to other indexes within the cluster. Yet in your post you've said you have "a seperate splunk search head at our office". This conflicts against you actual question (index data mirroring).

From this I infer that you currently have the following.

1 x indexer that you currently directly perform searches on (Slower vm).
1 x new search head. (Bare metal hw)

Have you tried just pointing this new search head at the existing index and comparing the performance? You havn't indicated what connectivity issues might be between these two machines (ie. different sites etc). If they are on the same site you can just try using your newer machine as the search head that uses your existing index and its data (distributed search with a single index).

If it is highly cpu bound searches you should see an increase in performance. On the existing index only your input/parsing will be occuring. So mainly io intensive operations.

Is there a specific reason for trying to mirror the data instead of migrating it to the new index/search head? ie. current network limitation/different network/location etc?

0 Karma

mzupan
New Member

yes the vm is the indexer and the bare metal is hte hw. I just want to mirror on the index to bare metal so all my historical data is there also. I know i can forward data to both places but I'd rather just forward the index and not send all my logging data over the internet

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...