Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Multisite indexer cluster deployment overview

Before reading this topic, see:

Important: This chapter assumes that you are deploying independent search heads in the multisite indexer cluster. For information on how to incorporate search heads that are members of a search head cluster, see "Integrate the search head cluster with an indexer cluster" in the Distributed Search manual.

Migrating from a single-site cluster?

To migrate from a single-site to a multisite indexer cluster, read "Migrate an indexer cluster from single-site to multisite".

Deploy a multisite indexer cluster

To deploy a multisite cluster, you configure the set of nodes for each site:

  • A single master resides on one of the sites and controls the entire multisite cluster.
  • A set of peer nodes resides on each site.
  • A search head resides on each site that searches cluster data. If you want all searches to be local, you must install a search head on each site. This is known as search affinity.

For example, to set up a two-site cluster with three peers and one search head on each site, you install and configure these instances:

  • One master node on one of the sites, either site 1 or site 2
  • Three peer nodes on site 1
  • Three peer nodes on site 2
  • One search head on site 1
  • One search head on site 2

Note: The master itself is not actually a member of any site, aside from its physical location. However, each master has a built-in search head, and that search head requires that you set a site attribute in the master's configuration. You must specify a site for the master, even if you never use its built-in search head. Note that the search head is for testing only. Do not use it for production purposes.

Configure multisite nodes

To deploy and configure multisite cluster nodes, you must directly edit server.conf or use the CLI. You cannot use Splunk Web.

Multisite-specific configuration settings

When you deploy a multisite cluster, you configure the same settings as for single-site, along with some additional settings to specify the set of sites and the location of replicated and searchable copies across the sites.

On the master, you:

On each cluster node, you:

  • Identify the site that the node resides on.

Configure with server.conf

To configure a multisite master node with server.conf, see "Configure multisite indexer clusters with server.conf".

Configure with the CLI

To configure a multisite master node with the CLI, see "Configure multisite indexer clusters with the CLI"

Use indexer discovery with a multisite cluster

If you are using indexer discovery to connect forwarders to the peer nodes, you must assign a site to each forwarder. See "Use indexer discovery in a multisite cluster."

Last modified on 01 October, 2020
Search across both clustered and non-clustered search peers   Implement search affinity in a multisite indexer cluster

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters