Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Splunk Core Consultant > Indexer Clustering > Flashcards

Indexer Clustering Flashcards

1
Q

Describe the Master Node:

A

Cluster Master - Coordinates replication activity, and distributes configuration informatio

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are Indexer Clusters?

A

groups of SPlunk Indexers that provide data redundancy and disaster recovery capabilities, as well as feature automatic failover from one indexer to the next

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does high replication or search factor require?

A

Higher RF or SF requires greater storage. Plan accordingly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the number of machines needed for a standard cluster?

A 
Indexers (RF+)
Cluster Master (1)
Search Heads (1+)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the best practice for number of indexers in a cluster?

A

Do not set replication_factor = # of indexers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How should you use the org_cluster_master_base config?

A

set mode, RF, SF, pass4SymKey, cluster_label in the [clustering] stanza
- Example config in server.conf:

[clustering]
Mode = master
Replication_factor = 3
Search_factor = 2
pass4SymKey = 12345
Cluster_label = cluster1
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you configure peer nodes?

A

Use org_cluster_search_base to configure cluster SH

Example config in server.conf
[clustering]
Mode = searchhead
Master_uri = https://master:8089
pass4SymKey = 12345
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you enable the search head that searches multiple clusters?

A

[clustering]
Mode = searchhead
Master_uri = clusternaster:one, clustermaster:two

[clustermater:one]
Master_uri = https://master:8089
pass4SymKey = 12345

[clustermaster:two]
master_uri = https://master2:8089
pass4SymKey = 67890

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you gaurd against data loss on the forwarders to the indexers?

A

By enabling indexer discovery on forwarders.

  • Must set unique pass4SymKey on server.conf in the [indexer_discovery] stanza on the CM
  • Also set the pass4SymKey and master_uri in the outputs.conf of the forwarder.
  • This allows the forwarder to know (from the indexer) that data has been received and processed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What must all peers and the Cluster Master share?

A

The same set of indexes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the upgrade procedure?

A
  • Clustermaster node
  • Searchhead tier
    License Master, DMC, etc.)
  • Indexer tier
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Maximum latency between CM and Indexers?

A

20 ms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What happens to an indexer in Detention?

A

An indexer in Detention (Manual or Automatic) will stop indexing data, but will still remain searchable

  • Indexer in Manual detention will continue to index internal data
  • ./splunk edit cluster-config -manual_detention on
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How should you tune the indexer heartbeat interval?

A

one second for every 50k buckets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the Hot bucket lifecycle?

A
  1. The indexers notify the CM when a new hot bucket is minted.
  2. The CM replies with a list of streaming targets, for replication. This list is randomly chosen from the list of available indexers (generation), with enough to make sure we meet policy.
  3. Original indexer begins replicating data to target indexers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the warm bucket lifecycle?

A
  1. The indexers notify the CM when a bucket rolls from hot to warm.
  2. The replication target is then notified that this bucket is complete, and the hot bucket will be rolled to warm on the target as well.
17
Q

What is the frozen bucket lifecycle?

A
  1. In the case of an indexer cluster, when a peer freezes a copy of a bucket, it notifies the master. The master then stops doing fix-ups on that bucket. It operates under the assumption that the other peers will eventually freeze their copies of that bucket as well.
18
Q

What is the benefit of putting an indexer that is almost out of disk space in manual detention?

A

It does not disable the indexer’s ability to participate in search, although it does disable the hosts ability to index.

19
Q

How do you replace the Cluster Master?

A

No Failover capability

  • Back up server.conf and /etc/master-apps
  • Ensure communication is working
  • Replace the master
20
Q

Can you recover the contents of master-app from the clients?

A

Yes, it lives in $SPLUNK_HOME/var/run/splunk/cluster/remote-bundle on the indexers.

21
Q

What are the steps, in order, to deploy the indexer cluster?

A
  1. Identify your requirements
  2. install the Splunk Enterprise instances
  3. Enable Clustering
  4. Complete Peer Node configuration
  5. Forward master node data to peer nodes
22
Q

What is the preferred method to replace a Cluster Master Node?

A

Cloning is the preferred method as it allows for preparation/configuration of a new master before the failure event occurs.

Splunk Core Consultant (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions