Splunk Search

Mirror index data

mzupan
New Member

We currently upgraded our splunk server to 5 and have a seperate splunk search head at our office which is on a really fast hardware. We'd like to offload the searches to the office server so nothing is run on our current splunk server which is a slower VM.

So is there a way with clustering to mirror the index data to the office server and have searches only run off of there if people connect to it via the web?

Tags (2)
0 Karma

Vishal_Patel
Splunk Employee
Splunk Employee

Not sure I understand, but I'll give it a shot as well:

"nothing is run on our current splunk server which is a slower VM'

Are you basically just trying to decommission your VM in favor of bare metal server? If that is all you're doing, its probably best to do a manual migration where you copy your indexes over from your VM->office server rather than use clustering.

However, if your intention is for both your VM and office server to act as a clustered peers, and you're asking if you can some how make the office-server answer all the queries and fallback to VM upon failure, the answer is no. In 5.0 clustering, there all peers in a cluster are considered "equal", so the query load will be shared across both peers . Also note in this case, you will need at least one additional node to act as a cluster master.

0 Karma

Lucas_K
Motivator

I'm not sure if i totally understand your question but i'll give it ago.

My understanding of v5.0 only new data will be replicated to other indexes within the cluster. Yet in your post you've said you have "a seperate splunk search head at our office". This conflicts against you actual question (index data mirroring).

From this I infer that you currently have the following.

1 x indexer that you currently directly perform searches on (Slower vm).
1 x new search head. (Bare metal hw)

Have you tried just pointing this new search head at the existing index and comparing the performance? You havn't indicated what connectivity issues might be between these two machines (ie. different sites etc). If they are on the same site you can just try using your newer machine as the search head that uses your existing index and its data (distributed search with a single index).

If it is highly cpu bound searches you should see an increase in performance. On the existing index only your input/parsing will be occuring. So mainly io intensive operations.

Is there a specific reason for trying to mirror the data instead of migrating it to the new index/search head? ie. current network limitation/different network/location etc?

0 Karma

mzupan
New Member

yes the vm is the indexer and the bare metal is hte hw. I just want to mirror on the index to bare metal so all my historical data is there also. I know i can forward data to both places but I'd rather just forward the index and not send all my logging data over the internet

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...