Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

READ THIS FIRST: Key differences between clustered and non-clustered Splunk deployments

This topic describes key differences between clustered and non-clustered indexers. In particular, it discusses issues regarding system requirements and deployment.

Read this topic carefully if you plan to migrate your current set of indexers to a cluster.

Do not use deployment server or third-party deployment tools with cluster peers

Neither the deployment server nor any third party deployment tool (such as Puppet or CFEngine, among others) is supported as a means to distribute configurations or apps to cluster peers. To distribute configurations across the set of cluster peers, use the configuration bundle method outlined in the topic "Update common peer configurations".

Differences in system requirements

Peer nodes have some different system requirements compared to non-clustered indexers. Before migrating your indexer, read the topic "System requirements and other deployment considerations". In particular, be aware of the following differences:

  • When you convert an indexer to a cluster peer, disk usage will go up significantly. Make sure you have sufficient disk space available, relative to daily indexing volume, search factor, and replication factor. For detailed information on peer disk usage, read "Storage considerations".
  • You might need to use different hardware for your colddb storage. For detailed information on hardware storage needs, read "Storage hardware".
  • The peer node should reside on a high speed network with the other cluster components, as described in "Network requirements".
  • Cluster components cannot share Splunk instances. The master node, peer nodes, and search head must each run on its own instance.

Other considerations and differences from a non-cluster deployment

In addition, note the following:

  • For most types of cluster deployments, you should enable indexer acknowledgment on the forwarders sending data to the peer. This will have some effect on indexing performance. See "How indexer acknowledgement works".
  • There will be some overall reduction in performance due to a few factors; mainly, indexer acknowledgement, as well as the need to store, and potentially index, replicated data coming from other peer nodes.
  • When restarting cluster peers, you should use the Manager or one of the cluster-aware CLI commands, such as splunk offline or splunk rolling-restart. Do not use splunk restart. For details, see "Restart the entire cluster or a single cluster node".

Migrate a non-clustered indexer

To learn how to migrate an existing Splunk indexer to a cluster and the ramifications of doing so, read the topic "Migrate non-clustered indexers to a cluster".

PREVIOUS
Deployment overview
  NEXT
System requirements and other deployment considerations

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters