Solved: Adding peers to indexer cluster when you ran out o...

arsalanj · ‎07-05-2019

Let's say I have a cluster with replication factor=2.
If I realize that after a while the indexer is running out of disk space, is it possible to add new indexer peers and instruct Splunk to send the new data to the newly added nodes and those nodes only replicate the new data to each other?

So, indexer 1 and indexer 2 have the same data. when they run out of disk space I add indexer 3 and indexer 4.
I will stop sending the logs to indexer 1 and indexer 2.
I will only send the logs to indexer 3 and indexer 4.
Indexer 3 and Indexer 4 have the same data but they don't have the data resides on indexer 1 and indexer 2.
Is this something that can be accomplished with Splunk?

Regards,
Arsalan

woodcock · ‎07-05-2019

Yes, but that's not the right way to do it. Just add the new indexer and rebalance:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Rebalancethecluster

View solution in original post

woodcock · ‎07-05-2019

Yes, but that's not the right way to do it. Just add the new indexer and rebalance:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Rebalancethecluster

Adding peers to indexer cluster when you ran out of disk space

indexer clustering

resource usage

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...