We are deploying a new instance of Splunk Enterprise and have decided on a multisite cluster architecture for high availability and disaster recovery. Unfortunately, we are getting our hardware resources in drops; we have enough resources now to build out one site (site1) and we expect the next drop later this fall/early winter to build out our second site (site2). After that time we expect additional resources to add indexers at each of the two sites.
Our initial hardware will support a 3 peer indexer cluster (with associated master, ds, lm, search, etc.). We would like to have rep factor 3 search factor 2. When we get the resources deployed at site2, we would like to rebalance the buckets from site1 using site2 resources.
Can we initially use the following master and indexer server.conf to enable multisite on day one, the update the conf when site2 is online?
master server.conf:
[general]
...
site = site1
[clustering]
available_sites = site1
mode = master
multisite = true
pass4SymmKey = whatever
site_search_factor = origin:1,total:2
site_replication_factor = origin:2,total:3
indexers server.conf
[general]
site = site1
...
[clustering]
master_uri = https://master:8089
mode = slave
pass4SymmKey = whatever
Once site2 is online, we would update the master server.conf as:
[general]
...
site = site1
[clustering]
available_sites = site1,site2
mode = master
multisite = true
pass4SymmKey = whatever
site_search_factor = origin:1,site1:1,site2:1,total:2
site_replication_factor = origin:2,site1:1,site2:1,total:3
The indexers server.conf would be configure for site1 or site2 as appropriate
[general]
site = site1|site2
...
[clustering]
master_uri = https://master:8089
mode = slave
pass4SymmKey = whatever
A forced data rebalance should then stream replicated and searchable copies of buckets to site2. Yes, this could take a while but eventually it would complete (I expect).
Any unforseen issues with this plan?
↧