Deployment Architecture

How do I ensure indexed data stays in the local area in which it was indexed?

thomas_forbes
Communicator

I have a distributed clustered environment with (1) search head, (2) indexer nodes clustered together, (1) master node, and (1) deployment server at location A. At location B I have (1) search head and (2) indexer nodes that are also clustered together. I want to minimize the mount of traffic sent between the (2) sites as much as possible.

My server.conf file configuration on my masternode at location A is set as follows:

[clustering]
access_logging_for_heartbeats = 1
cluster_label = Splunk_Cluster
max_peer_build_load = 5
mode = master
pass4SymmKey = afadfgsdfgsdfgsgf
available_sites = site1,site2
site_replication_factor = origin:2,total:3
site_search_factor = origin:1.total:2
multisite = true
heartbeat_timeout = 180

[general]
pass4SymmKey = dfasfdasdgdasfasdgsd
serverName = splunk4
site = site1
allowRemoteLogin = always

My server.conf file configuration on my search head at location A is set as follows:

[clustering]
access_logging_for_heartbeats = 1
cluster_label = Splunk_Cluster
master_uri = https://splunk4:8089
max_peer_build_load = 5
mode = searchhead
multisite = true
pass4SymmKey = lajfaqwjpo24j[w
search_factor = 2

[general]
pass4SymmKey = ;dnkhewiopaj[rjo
serverName = splunk1
site = site1

My server.conf file configuration for indexer #1 at location A is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = sdjfl;asjhiopaejfasd

[general]
pass4SymmKey = ;kdjfkl;asj;djafj
serverName = splunk2
site = site 1

My server.conf file configuration for indexer #2 at location A is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = jkljhljkhlhujh

[general]
pass4SymmKey = jhljkhkljhiouhoi
serverName = splunk3
site = site 1

My server.conf file configuration on my search head at location B is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = searchhead
pass4SymmKey = jal;kjl;ajjfoijope
multisite = true

[general]
pass4SymmKey = ;kljakjdfl;ajfioewj
serverName = splunk6
site = site2

My server.conf file configuration for indexer #1 at location B is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = jal;kjl;ajjfoijope

[general]
pass4SymmKey = ljlkjl;j;ljl;jdk;lkas
serverName = splunk7
site = site2

My server.conf file configuration for indexer #2 at location B is set as follows:

[clustering]
master_uri = https://splunk4:8089
mode = slave
pass4SymmKey = dasdfafdasfdaf

[general]
pass4SymmKey = fsdgdfgsdgf
serverName = splunk8
site = site2

Will the configs outlined above allow that or am I missing something.

Thanks,
Tom Forbes

0 Karma

Richfez
SplunkTrust
SplunkTrust

Multi-site search affinity should work automatically as long as you have a searchable copy of the data at the same site. So that much should be good without going to extra steps as long as the indexers are configured correctly.

Adding site_search_factor = origin:1.total:2 as you have should take care of at least having one searchable copy of data at each site, so in case of network problem or indexer failure you'll still be able to search. (In those emergencies you may search across sites).

So, on to your multi-site indexer cluster settings. You've set site_replication_factor = origin:2,total:3 with two sites that appear to be correctly set up with two indexers each. So, wherever the data originates (either site1 or site2) will get two copies - matching your two indexers - and the "other" site will get one more copy to bring it up to 3 total copies.

In my eyes the multi-site stuff looks correct to accomplish your goals. The rest of the config I'm less an expert on but it doesn't look wrong.

Does that help?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...