Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem related to clustering and replication of peer data

abhishek2013
New Member
‎04-03-2013 09:11 AM

I am facing a problem in setting up a cluster in splunk...
I have 1 master splunk instance with 2 replication factor and 2 search factor, i have 3 splunk instance as peer node and 1 splunk instance as search head.
Now i have configured a load balancing forwarder for peer machines..as soon as i get data in file configured in forwarder, i get data spread on peer node(some data on some peer node while other on other peer node).
On the search head node and master node i get data from all peer node.But on the peers node i can see data specific to only that peer node,is that the way it should actually be..or their is some problem ?
Also the problem is that as my one of the peers get down,its data is erased from the search head node and master,but when the peer node is up the data comes back on the seach head and master.My problem is that in case when the peer is down.i am not getting data of the downed peer node..Please help me is this case.
Thanks in advance..

Tags (1)
0 Karma
Reply

Steve_G_
Splunk Employee
Splunk Employee
‎04-03-2013 11:45 AM

Regarding your question, "But on the peers node i can see data specific to only that peer node,is that the way it should actually be..or their is some problem?" I assume you're running a search directly on the peer node. If that's the case, you will only see the searchable data on that specific node. The peer cannot access data on another node. See:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/Howclusteredsearchworks#Search_a_single_pe...

Regarding your second question on the downed peer node: when a peer node goes down, you can temporarily lose access to some data while bucket-fixing is occurring. However, if you have a search factor of 2 and only one peer goes down, then the full data set should be available again very quickly. The master just needs to reassign the primaries from the downed node to searchable copies on other nodes.

Reply

abhishek2013
New Member
‎04-03-2013 11:04 PM

Thanks for ur answer satisfied with the answer of first question. But I am still not getting the solution for second question as I am not getting the data of downed peer on the search head or master even after waiting for some time..
Can you ply tell if their any configuration to be done on master,search head or peer node so that it could work fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...