Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Index cluster with only two search peers

Julieda
Explorer
‎10-23-2015 12:01 AM

Does anyone have experience with index clusters that only contain two indexers? In splunk docs, and in most other forums, the only examples of clusters contain at least three nodes. But shouldn't it function with only two indexers as well? What would be the potential disadvantages, besides less redundancy and reliability?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-23-2015 12:11 AM

The default replication factor is three, so all the examples tend to show at least 3 indexers. However, AFAIK there is no restriction: you can have an index cluster with only 2 search peers (indexers). Just be sure to set the replication factor and search factor appropriately.

IMO, the only disadvantage (besides the ones you mention) would be: you must have a search head and a cluster master to complete your indexer cluster. So only half of your assets are actually indexing. I think you would get more for your money if you had a greater number of indexers. OTOH, you may have an initial installation with 2 indexers and plans to grow...

View solution in original post

Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎10-23-2015 09:34 AM

Regarding the number of indexers, or peer nodes, the only requirement is that you have at least as many as the replication factor. For details, see:

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Systemrequirements#Required_Splunk_Enterp...

0 Karma
Reply
Solved! Jump to solution

Julieda
Explorer
‎10-26-2015 12:34 AM

Great. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-23-2015 12:11 AM

The default replication factor is three, so all the examples tend to show at least 3 indexers. However, AFAIK there is no restriction: you can have an index cluster with only 2 search peers (indexers). Just be sure to set the replication factor and search factor appropriately.

IMO, the only disadvantage (besides the ones you mention) would be: you must have a search head and a cluster master to complete your indexer cluster. So only half of your assets are actually indexing. I think you would get more for your money if you had a greater number of indexers. OTOH, you may have an initial installation with 2 indexers and plans to grow...

Reply
Solved! Jump to solution

Julieda
Explorer
‎10-23-2015 12:24 AM

Ok, great! It is good to know that this will function before the configuration begins, as I only have a production environment available. Hopefully the plan is to grow the number of indexers eventually. Thank you for answering so quickly!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...