Splunk® Enterprise

Distributed Search

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Choose the replication factor for the search head cluster

The replication factor determines the number of copies of each search artifact, or search result, that the cluster maintains. Replication occurs only for artifacts from scheduled saved searches. The cluster does not replicate results from ad hoc searches or realtime searches.

Effect of the replication factor

The cluster can tolerate a failure of (replication factor - 1) members without losing any search artifacts. For example, to ensure that your system can handle the failure of two members without losing search artifacts, configure a replication factor of 3. This configuration directs the cluster to store three copies of each search artifact, with each copy on a different member. If two members go down, the artifact is still available on a third member.

The default value for the replication factor is 3. This number is sufficient for most purposes.

Even with a large cluster of, for example, 50 search heads, you do not need a commensurately large replication factor. As long as you do not lose the replication factor number of members, at least one copy of each search artifact still exists somewhere on the cluster and is accessible to all cluster members. Any search head in the cluster can access any search artifact by proxying from a search head storing a copy of that artifact. The proxying operation is fast and unlikely to impede access to search results from any search head.

Note: The replication factor determines only the number of copies of search artifacts that the cluster maintains. It does not affect the replication of runtime configuration changes, such as new saved searches. Those changes get replicated to all cluster members by a different process. If you have 50 search heads, each of those 50 gets a copy of such configuration changes. See Configuration updates that the cluster replicates.

Replication factor configuration

All search head cluster members must use the same replication factor. The server.conf attribute that determines the replication factor is replication_factor in the [shclustering] stanza.

You specify the replication factor during deployment of the cluster, as part of member initialization. See Initialize cluster members.

You can change the replication factor post-deployment, if necessary, but it is recommended that you consult Splunk Support before doing so. If you change the replication factor on one member, you must change it on all members. For information on modifying configuration values, see Configure the search head cluster.

For more information

For information on how the cluster replicates search artifacts, see How the cluster handles search artifacts. That subtopic describes several key points about artifact replication, among them:

  • In some cases, the cluster might replicate more than the replication factor number of a search artifact.
  • Artifact proxying, along with additional replication, occurs if a member without a copy of the artifact needs access to it.
  • If a member goes down, the cluster replaces the artifact copies that were being stored on that member.

See List search artifacts to learn how to view the set of artifacts in the cluster and on individual members.

Last modified on 30 September, 2019
Configure the search head cluster   Set a security key for the search head cluster

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters