Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I need to down size the number of indexers to half

bapun18
Communicator
‎02-12-2024 10:34 AM

Hi Team,
I need to decrease the number of indexers used to half, in my current configurations we have site replication factor is 5 in total with origin:3 and site searchfactor is defined as 3 in total and origin:2.

My total number of indexers is 24 and I want to decrease the count of indexers to 12.

I want to have the complete process of reducing the indexer cluster size so that the buckets which have site information will not be impacted.

bapun18_0-1707762622976.pngbapun18_1-1707762666289.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2024 10:56 AM

Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers. 

1. Remove 12 indexers from outputs.conf on all instances.  Ideally, you have this in an app so you can make the change once an push it to where it is needed (SHs, forwarders, DS, MC, CM, LM).  If you've implemented Indexer Discover then you can skip this step.

2. Put the 12 indexers into manual detention.  This will keep them from accepting new data or replicated buckets.

splunk edit cluster-config -auth <username>:<password> -manual_detention on

3. Run this command on each indexer being removed.

splunk offline --enforce-counts

Wait for the indexer to stop before proceeding to the next.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2024 01:35 AM

Hi @bapun18 ,

The number of indexers depends on the daily indexed logs, on the number of scheduled searches and active users.

how many of them do you have?

can your reducted Indexers manage your volume?

In my opinion only a Splunk Architect can answer to this question.

Ciao.

Giuseppe 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2024 10:38 AM

Why do you want to reduce the number of indexers? 

What problem are you trying to solve? 

Can 12 indexers handle the workload currently done by 24 indexers?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

bapun18
Communicator
‎02-12-2024 10:40 AM

Yes, it can handle.. Data volume reduced, so there is no point of keeping 24 indexers. 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2024 10:56 AM

Assuming you've verified 12 indexers can handle both the indexing and search loads, then you just need to remove 12 indexers. 

1. Remove 12 indexers from outputs.conf on all instances.  Ideally, you have this in an app so you can make the change once an push it to where it is needed (SHs, forwarders, DS, MC, CM, LM).  If you've implemented Indexer Discover then you can skip this step.

2. Put the 12 indexers into manual detention.  This will keep them from accepting new data or replicated buckets.

splunk edit cluster-config -auth <username>:<password> -manual_detention on

3. Run this command on each indexer being removed.

splunk offline --enforce-counts

Wait for the indexer to stop before proceeding to the next.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...