Hi @gcusello 

Regarding this point you have raised:

You cannot configure stand alone Indexers, you can configure two IDX located in two different locations and managed by a Cluster Master.

so if i used this approach  and during DR Drill all node located in one site and also cluster master node  will be down and searching will be affect.

am i right?

Hi @hazem,

for my knowledge a multisite IDX Custer requires at least two IDXs for each site!

If you want to put an IDX in each site is phisically a multisite Indexer Cluster but it's a simple Indexer Cluster with two nodes located in two different sites.

You cannot configure stand alone Indexers, you can configure two IDX located in two different locations and managed by a Cluster Master.

I applied this configuration in one project, it's the minimal configuration to have the full dataset in two locations.

About configuration, as I said, you have to consider your architecture a single site Indexer Cluster and configure it in this way.

About retention, there's no sense to have a different retention in the two sites because if you have to use the secondary site you cannot search in all data!

And I'm not sure that's possible to define a different retention for the two IDXs.

Never speak of two stand alone Indexers because if you want data replication (without paying double license) you must use a Cluster.

Ciao.

Giuseppe

Hi @hazem ,

During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site.

The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR. 

Ciao.

Giuseppe

hello @gcusello 

i think the below answer will be sittable  for multi-site cluster and in single  single site-cluster during DR Drill both of nodes will down and may search affect.

am i right?

During DR,  you have primary site and probably also Cluster Manager both down, but you can search on the Indexer in the secondary site, that will have al the data for the replication, for this reason you cannot have a minor retention time in the secondary site.

The secondary site continue to work (also without CM) until the primary site and CM will come up again, at this point there will be the data balancing replicating the data indexed during the DR

Hi @hazem ,

when the primary site is down, you can access the secondary site Indexer for searches.

But rememeber that using an IDX cluster, you must use a Search Head to search on the two clustered Indexers, it isn't possible to use the same server for searches as a stand-aone server.

From version 7 Splunk IDX Cluster is accessible only using a Search Head

Ciao.

Giuseppe

Hi @hazem ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉