Hi,
We are planning on upgrading to 6.3 (from 6.1), and were wondering if it was possible to use clustering and replication to route data to other systems, but use that data only for UAT/SIT purposes? I don't want to re-index that data, so figured that this might be a good option.
You could potentially have a site within the cluster that is UAT / SIT, however, you cannot guarantee that this wont be replicated or searched in case of DR etc within the Splunk softlayer itself. This isnt recommended.
You would be better to have an intermediate HF tier in front of your indexers. From there you can split and route traffic as required/desired.
Look through the routing and forwarding section here : http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad
Using additional HFW doesn't increase my license, but if I send the data to two sets of indexers, that does increase my license. Are you suggesting something different?
The HF can send your UAT data to one indexer, and your production data to another. The data is not duplicated, hence there is no increase in license cost.
That's not what I want. I want to replicate data, without incurring licensing costs.
Oh I see. No, there is no 'development' style licensing for Splunk as far as I know. If you reach out to your reseller they might be able to help you out with a temp license for your upgrade?
Thanks. I thought about the HFW, but that would mean that I'm increasing my license cost, and I want to avoid that.
Using a HFW doesn't increase your license cost. Splunk only charges based on daily indexed volume, not the number of clients. The only way having a UAT / SIT environment effects you in terms of license, is that the environment would need to either share the main license you have, or you would need to purchase a license for UAT / SIT.
That being said, most environments like this will share the main license of the org, as the environment isnt used full time.