Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

any way to replicate search artifacts and index between 2 all-in-on Splunk instance without cluter

danielwan
Explorer
‎07-29-2017 04:09 PM

I have 2 separated all-in-one Splunk boxes running on the different sites for DR purpose.
Is there any way to replicate the index and search artifacts between them?
The cluster is my last resort because cluster seems to require a dedicated master node, and require to run search header and cluster peer node on different hosts, which needs at least 5 nodes for my situation: 1 master, 2 peer nodes (one on each side), and 2 search (one on each site).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-29-2017 05:24 PM

rsync or a scheduled task to do the copying should do the trick...

Are you actively indexing on both instances?? Are users accessing both??

In a purely Active/Standby situation where the DR node is not used except in a hard cutover situation, this could work pretty easy...if both the nodes are being actively used, it won't be so easy as you need to avoid bucket collisions...

Check this blog and the links it has that covers what it takes to move buckets around safely:

https://www.splunk.com/blog/2012/02/21/restoring-an-index.html

If you are truly expecting proper high availability, with no down time if a site fails, clustering is a much better option

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-29-2017 09:10 PM

Do you mean DR or HA? They really are different things. There is no HA solution for Search Heads. For DR, just do backups of etc and var (especially dispatch).

0 Karma
Reply
Solved! Jump to solution

danielwan
Explorer
‎07-29-2017 10:56 PM

I mean DR, active-standby mode.
I am also evaluating cluster but it needs quite a few hosts.

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-29-2017 05:24 PM

rsync or a scheduled task to do the copying should do the trick...

Are you actively indexing on both instances?? Are users accessing both??

In a purely Active/Standby situation where the DR node is not used except in a hard cutover situation, this could work pretty easy...if both the nodes are being actively used, it won't be so easy as you need to avoid bucket collisions...

Check this blog and the links it has that covers what it takes to move buckets around safely:

https://www.splunk.com/blog/2012/02/21/restoring-an-index.html

If you are truly expecting proper high availability, with no down time if a site fails, clustering is a much better option

- MattyMo
0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-30-2017 07:45 AM

in light of just DR, then rsync your $SPLUNK_HOME/etc and $SPLUNK_HOME/var to the DR box and plan for a way to swing the forwarded traffic over. I would probably configure rsync to skip replicating the internal splunk indexes to avoid any issues with duplication, or keep the DR splunk stopped so its not creating internal buckets at all.

Thats how I backed up my standalone VM until we grew to distributed.

Make sure you practice restoring! 😉

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...