Getting Data In

Is replication possible with only two indexers?

hartcl1
Explorer

I only have two machines/servers/indexers. Can I get true replication with only two systems?

Server-1 and Server-2. I can't build any additional servers.

I want to point all of my clients to Server-1. as the primary. I want Splunk to make sure Server-2's data is identical.

If I lose Server-1 I want my forwarders to point to their secondary server. i.e. Server-2.

When Server-1 comes back online I want everything to fail back to Server-1.

Is this possible with Splunk?

Oh yeah... I read the clustering with Splunk and it looks like you need about 5 physical machines to get it work. Remember I only have two.

0 Karma

apfender_splunk
Splunk Employee
Splunk Employee

Regarding your original question: 2 indexers => yes. 2 servers => no.

Single-site clustering would be the best approach for you, only then splunk can take over the replication part.
But not with only 2 servers. You need at least 4 instances (two peers, one master node, one search head).

Load balancing only helps for availability if server-1 goes down, but that doesn't mean your data are in sync.

You can set up an rsync job to keep warm and cold in sync (warm/cold buckets are read-only for splunk), but not hot buckets.

Well, you can limit the retention or size in hot to not loose too many data if server-1 fails.

If your hardware is performing enough you can set up different instances for different roles on the same machine using different IPs. Different ports is not enough. But this is fiddly and totally not supported.

And seriously: Why not creating the master node and search head virtual? Or the whole thing virtual?

anupjishnu
Path Finder

I guess you will need to use some load balancer like F5 and forwarders should then send data to VIP

0 Karma

hartcl1
Explorer

Thanks for the response...

But I think I can configure the clients (Universal forwarders) to send data to both Server-1 and Server-2 at the same time. I dont want to get in a situation where a link or server goes down for a while and when the systems return Server-1 has mas more records than Server-2.

That's why I want a true replicating daemon that can log into both systems and verify that the pools of data on Server-1 and Server-2 are identical ... (100% of the time).

All this with only two servers... 🙂

If this product cant support that than maybe I'll try to install all of the pieces of the clustering setup on the two servers i currently have.

Server-1
--- /opt/splunk-master -- using ports 9000-9010
--- /opt/splunk-search-head -- using ports 9020-9030
--- /opt/splunk-peer -- using ports 9040-9050

Server-2
--- /opt/splunk-search-head -- using ports 9020-9030
--- /opt/splunk-peer -- using ports 9040-9050

Maybe something like this would work..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...