Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to ensure no data is lost (add back the databases) if a server is rebuilt using an Ansible script?

troyfred
Explorer
‎06-04-2020 10:25 AM

We have an Ansible script that rebuilds/reindexes etc a Splunk indexer, if for some reason it implodes on itself.
We also have incremental backups of the Splunk databases (for this question lets say "Data1").

While the script can rebuild the server, what is the best way to add back those databases if a server is rebuilt so we do not lose all the data we have saved? Thanks in advance for any assistance.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 10:53 AM

The best way is to use an indexer cluster. The cluster automatically backs up buckets to another indexer and automatically recovers from an indexer failure. Your ansible script just has to build the indexer and add it to the cluster then the cluster does the rest.

Your current method most likely is not backing up hot buckets and so you have the risk of losing that data when an indexer fails. Indexer clustering backs up hot buckets continuously so there's little chance of lost data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

troyfred
Explorer
‎06-04-2020 12:30 PM

So I would need a second server as basically a back up to the main (or the main being a backup for the backup), so if one fails I blow it away and just have ansible recreate it and the one that didn't die fills in the info?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 01:04 PM

There's a little more to it than that as you'll also need a third server to be the cluster master. Clustered indexers are not active/backup, they are active/active with each taking a portion of the indexing and searching load. See https://docs.splunk.com/Documentation/Splunk/8.0.4/Deploy/Indexercluster

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...