Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

How indexer clusters handle report and data model acceleration summaries

By default, indexer clusters do not replicate report acceleration and data model acceleration summaries. This means that only primary bucket copies will have associated summaries.

You can configure the manager so that the cluster does replicate summaries. All searchable bucket copies will then have associated summaries. This is the recommended behavior.

For details on report acceleration and data model acceleration, read the chapter Use data summaries to accelerate searches in the Knowledge Manager Manual.

For information on summaries and SmartStore, see How SmartStore handles report and data model acceleration summaries.

Where summaries reside

The summaries reside on the peer nodes in their own directories. You specify the directory locations in indexes.conf, with the summaryHomePath and tstatsHomePath attributes for the report acceleration and data model acceleration summaries, respectively. See the indexes.conf specification file for details.

A summary correlates with one or more buckets, depending on the summary's time span.

Replicated summaries

If you want the cluster to replicate summaries, you must set this attribute in the manager node's server.conf file:

[clustering]
summary_replication = true

You must restart the manager.

You can also use the CLI on the manager node to set the attribute:

splunk edit cluster-config -summary_replication true

This command does not require a restart.

When the cluster is configured to replicate summaries, the cluster takes steps to ensure that each searchable bucket copy has an associated summary copy:

  • For hot buckets. The cluster creates a summary for each searchable copy of a hot bucket.
  • For warm/cold buckets. The cluster replicates summaries for searchable copies of warm or cold buckets, when necessary. The cluster will use replication to fill in any missing summaries for searchable copies of warm or cold buckets.

When you turn on summary replication for the first time, the cluster might need to replicate a large number of summaries. This can have an impact on network bandwidth. To limit the number of summary replications occurring simultaneously, you can change the value of the max_peer_sum_rep_load attribute in the manager node's server.conf file. Its default value is 5.

Non-replicated summaries

If you keep the default behavior, the cluster will not replicate summaries. This section describes how the cluster handles non-replicated summaries.

A summary correlates with one or more buckets, depending on the summary's time span. When a summary is generated, it resides on the peer that holds the primary copy of the bucket for that time span. If the summary spans multiple buckets, and the primary copies of those buckets reside on multiple peers, then each of those peers will hold the corresponding part of the summary.

If primacy gets reassigned from one copy of a bucket to another (for example, because the peer holding the primary copy fails), the summary does not move to the peer with the new primary copy. Therefore, it becomes unavailable. It will not be available again until the next time Splunk Enterprise attempts to update the summary, finds that it is missing, and then regenerates it.

In multisite clusters, like single-site clusters, the summaries reside with the primary bucket copy. Because a multisite cluster has multiple primaries, one for each site that supports search affinity, the summaries reside with the particular primary that the generating search head accessed when running the search. Due to search affinity, that usually means that the summaries reside on primaries on the same site as the generating search head.

Summary replication and contention for resources

A search head with acceleration enabled runs special searches on the peers. These searches build the summaries. See, for example, the description of building report acceleration summaries in "Manage report acceleration" in the Knowledge Manager Manual.

In the case of replicated summaries on an indexer cluster, summaries are built on each searchable copy of a hot bucket. A peer node can be building summaries simultaneously both for copies of buckets originating on that peer and also for copies of buckets originating on other peers. This means that, with summary replication enabled, summary-generating searches use more resources across the cluster, and the searches can take longer to complete.

Last modified on 15 November, 2023
How search works in an indexer cluster   How indexer cluster nodes start up

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters