Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens to the data if the indexer in an indexer cluster goes down?

sreejith2k2
Explorer
‎10-05-2016 03:54 PM

I have 12 Indexers (6 each/site) in a multi cluster environment. Data is replicated to the other site with RF =2 and SF =2, so even if one indexer (INDX01) goes down due to network issues, the indexer which is down currently holds data will be replicated to the other available 5 servers.

My question is, what happens to the data once that Indexer INDX01 is back (say after 2 days) to the cluster?

Will the indexer (INDX02 - 05) servers will start replicating the same data which is already there into the indexer (INDX01)? If so, will it have 3 copies, or it will delete the data?

Also, what is the case, if I enable maintenance mode once I come to know that the server is going to be offline for more than 24hrs, and what if I haven't enabled the maintenance mode?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎10-07-2016 10:41 AM

There are also extensive docs on this subject, see What happens when a peer node goes down in the Managing Indexers and Clusters of Indexers manual.

See also:

View solution in original post

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎10-07-2016 10:41 AM

There are also extensive docs on this subject, see What happens when a peer node goes down in the Managing Indexers and Clusters of Indexers manual.

See also:

Reply
Solved! Jump to solution

sreejith2k2
Explorer
‎10-07-2016 02:55 PM

Thanks Chris

0 Karma
Reply
Solved! Jump to solution

botkindl
Explorer
‎10-07-2016 10:33 AM

When INDX01 comes back on line, it sends a list of all of its buckets to the cluster master. The cluster may end up with excess buckets, which you can remove from the master's UI.

Bear in mind that the indexers won't replicate on their own, unless the master is down. The master tells the indexers which buckets to replicate and where to send them. So, the other indexers won't send data to INDX01 that it already has. If INDX01 needs to have buckets to satisfy SF or RF, the master will tell the other indexers to replicate as needed.

If you do not enable maintenance mode while INDX01 is down, the master will tell your remaining indexers to replicate all of the buckets that INDX01 had when it went down -- in order to satisfy SF and RF. That can cause issues if you're short on disk space. If you do enable maintenance mode, the SF and RF are not enforced.

0 Karma
Reply
Solved! Jump to solution

sreejith2k2
Explorer
‎10-07-2016 02:56 PM

Thanks botkindl

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...