Multi sites indexers without the same number of pe...

davidf_bkk · ‎08-05-2018

Hello,

I currently have a multi site clustering.

Our architecture have 2 sites, and these 2 sites don't have the same number of indexers :

Site 1 : 2 indexers (200 Gb each)
Site 2 : 1 indexer (400 Gb)

My configuration is the following :

site_replication_factor = origin:1,site1:1,site2:1,total:2
site_search_factor = origin:2,site1:1,site2:1,total:2

But by doing this, I seem that a data redudancy occur on site 1,

For example I have an index which is limited to 15Gb :
Site1 : idx1 : full (15gb/15gb)
Site1 : idx2 : full (15gb/15gb)
Site2 : idx1 : full (15gb/15gb)

With a replication factor of 2, shouldn't be like this ? =>
Site1 : idx1 : half (7.5gb/15gb)
Site1 : idx2 : half (7.5gb/15gb)
Site2 : idx1 : full (15gb/15gb)

Of course, I want the data replicated between site 1 and 2. I have only one search head on site 1.

If I try the following :

replication_factor = 2
search_factor = 1

What happen ? Should I be able to search even if :
Site 1 IDX 1 is down (so the Site 1 is totally HS due to data repartition across the site ?)
Site 2 IDX 1 is down (As I have only one IDX, the site is down)

Am I understand well ?

Best regards,

dxu_splunk · ‎08-06-2018

do u want 1 copy per site?

origin:1,total:2

this puts 1 per site. or equivalently:

origin:1,site1:1,site2:1,total:2

for SF, if you don't want both copies to be searchable, you can do:

origin:1,total:1

(only the source copy will be searchable)

adonio · ‎08-06-2018

on everything .... origin:1,total:2
OR origin:1 site1:2 total:3 - this will put a copy on each of your indexers
you dont have enough indexers to support more replication than that

Multi sites indexers without the same number of peers

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases