- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Indexer cluster from non clustered indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexer cluster from non clustered indexer
Hello,
I have an instance with indexer and Search head in the same instance.
I was asked to create a cluster of indexers formed by the indexer I already have (replicating its data) and a new Indexer:
- Is it possible to keep the indexer and search head in the same instance or do I need to separate the indexer from the Search Head?
- Is it possible to replicate the historical data I have on the indexer into the new cluster member?
- Is there an offcicial procedure on how to achieve this?
Thank you very much.
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1: Probably but NOBODY does this. If you "need" to cluster, then you need Indexer capacity of some sort. Your Indexer tier's collective quality/response is only as good as your WORST single Indexer. You are guaranteeing that you will always have 1 Indexer (your Search Head + Indexer combo) that is worse than all the others.
2: It is possible but not officially supported. The bucket format for clustered indexers is different than for non-clustered. But they can co-habitate fine (it is just that the older format will NEVER replicate; eventually it will age out and nobody will care/notice).
3: No. #1 is unwise and nobody does it (so why would anybody document it). #2 is documented as "unsupported" but unofficially Splunk will do it for "important clients" and some of us will do it if you are willing to take the risk (we ninjas like to live dangerously).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you very much for your response.
I will not migrate the old data. It's the customer decision.
What would be better from the following?:
To keep that indexer for the old data only and create a cluster with 2 new indexers? (Is this possible?)
In this case I would have the SH consuming from one cluster (with 2 members) and a separate indexer.
or
Include this indexer as one of the members of the cluster and create a new indexer as the second member? (Is this possible?)
In this case the SH will be consuming only from the cluster (with 2 members).
Thank's again.
Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ans 1. You would need a separate VM for search head instance and a cluster master instance. See this for more details on machine requirement for indexer cluster. http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Systemrequirements#Machine_requirements
And 2 and 3. See this http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Migratenon-clusteredindexerstoaclustereden...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
