Best practice: Forward master node data to the indexer layer
It is considered a best practice to forward all master node internal data to the indexer (peer node) layer. This has several advantages:
- It accumulates all data in one place. This simplifies the process of managing your data: You only need to manage your indexes and data at one level, the indexer level.
- It enables diagnostics for the master node if it goes down. The data leading up to the failure is accumulated on the indexers, where a search head can later access it.
The preferred approach is to forward the data directly to the indexers, without indexing separately on the master. You do this by configuring the master as a forwarder. These are the main steps:
1. Make sure that all necessary indexes exist on the indexers. This is normally the case, unless you have created custom indexes on the master node. Since _audit
and _internal
exist on indexers as well as the master, you do not need to create separate versions of those indexes to hold the corresponding master data.
2. Configure the master as a forwarder. Create an outputs.conf
file on the master node that configures it for load-balanced forwarding across the set of peer nodes. You must also turn off indexing on the master, so that the master does not both retain the data locally as well as forward it to the peers.
Here is an example outputs.conf
file:
# Turn off indexing on the master [indexAndForward] index = false [tcpout] defaultGroup = my_peers_nodes forwardedindex.filter.disable = true indexAndForward = false [tcpout:my_peers_nodes] server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997
This example assumes that each peer node's receiving port is set to 9997.
For details on configuring outputs.conf
, read "Configure forwarders with outputs.conf" in the Forwarding Data manual.
Enable the search head | Prepare the peers for index replication |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!