Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Multisite indexer clusters

Indexer clusters have built-in site-awareness, meaning that you can explicitly configure a multisite indexer cluster on a site-by-site basis. This simplifies and extends the ability to implement a cluster that spans multiple physical sites, such as data centers.

Use cases

Multisite clusters offer two key benefits over single-site clusters:

  • Improved disaster recovery. By storing copies of your data at multiple locations, you maintain access to the data if a disaster strikes at one location. Multisite clusters provide site failover capability. If a site goes down, indexing and searching can continue on the remaining sites, without interruption or loss of data.
  • Search affinity. If you configure each site so that it has both a search head and a full set of searchable data, the search head on each site will limit its searches to local peer nodes. This eliminates any need, under normal conditions, for search heads to access data on other sites, greatly reducing network traffic between sites.

Multisite configuration

You configure multisite clusters somewhat differently from basic, single-site clusters. These are the key differences for multisite clusters:

  • You assign a site to each node.
  • You can specify the replication and search factors on a site-by-site basis. That is, you can specify the number of copies and searchable copies that you want to maintain on each site, along with the number that you want to maintain on the cluster overall.

There are a few other configuration differences as well. See "Multisite deployment overview".

Multisite architecture

The architecture of single-site and multisite clusters is similar. These are the main differences for multisite clusters:

  • Each node belongs to an assigned site.
  • Replication of bucket copies occurs in a site-aware manner.
  • Search heads distribute their searches across local peers only, whenever possible.

For more information on multisite cluster architecture, read "Multisite indexer cluster architecture".

For more information

These chapters and topics describe multisite clusters in detail:

Other topics in this manual differentiate multisite and single-site clusters as needed.

Last modified on 21 September, 2020
About indexer clusters and index replication   The basics of indexer cluster architecture

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters