Multisite indexer cluster deployment overview
Before reading this topic, see:
- "Indexer cluster deployment overview". That topic provides a general overview of deployment for both single-site and multisite indexer clusters. The topic you are reading now describes only the multisite differences.
Important: This chapter assumes that you are deploying independent search heads in the multisite indexer cluster. For information on how to incorporate search heads that are members of a search head cluster, see "Integrate the search head cluster with an indexer cluster" in the Distributed Search manual.
Migrating from a single-site cluster?
To migrate from a single-site to a multisite indexer cluster, read "Migrate an indexer cluster from single-site to multisite".
Deploy a multisite indexer cluster
To deploy a multisite cluster, you configure the set of nodes for each site:
- A single manager node resides on one of the sites and controls the entire multisite cluster.
- A set of peer nodes resides on each site.
- A search head resides on each site that searches cluster data. If you want all searches to be local, you must install a search head on each site. This is known as search affinity.
For example, to set up a two-site cluster with three peers and one search head on each site, you install and configure these instances:
- One manager node on one of the sites, either site 1 or site 2
- Three peer nodes on site 1
- Three peer nodes on site 2
- One search head on site 1
- One search head on site 2
Note: The manager node itself is not actually a member of any site, aside from its physical location. However, each manager node has a built-in search head, and that search head requires that you set a site attribute in the manager's configuration. You must specify a site for the manager, even if you never use its built-in search head. Note that the search head is for testing only. Do not use it for production purposes.
Configure multisite nodes
To deploy and configure multisite cluster nodes, you must directly edit
server.conf or use the CLI. You cannot use Splunk Web.
Multisite-specific configuration settings
When you deploy a multisite cluster, you configure the same settings as for single-site, along with some additional settings to specify the set of sites and the location of replicated and searchable copies across the sites.
On the manager node, you:
- Enable the cluster for multisite.
- Enumerate the set of sites for the cluster.
- Set a multisite replication factor.
- Set a multisite search factor.
- Adjust the single-site replication and search factors as necessary. See "Multisite cluster does not meet its replication or search factors."
On each cluster node, you:
- Identify the site that the node resides on.
Configure with server.conf
To configure a multisite manager node with
server.conf, see "Configure multisite indexer clusters with server.conf".
Configure with the CLI
To configure a multisite manager node with the CLI, see "Configure multisite indexer clusters with the CLI"
Use indexer discovery with a multisite cluster
If you are using indexer discovery to connect forwarders to the peer nodes, you must assign a site to each forwarder. See "Use indexer discovery in a multisite cluster."
Search across both clustered and non-clustered search peers
Implement search affinity in a multisite indexer cluster
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 9.0.0