Indexer Clustering Flashcards
Describe the Master Node:
Cluster Master - Coordinates replication activity, and distributes configuration informatio
What are Indexer Clusters?
groups of SPlunk Indexers that provide data redundancy and disaster recovery capabilities, as well as feature automatic failover from one indexer to the next
What does high replication or search factor require?
Higher RF or SF requires greater storage. Plan accordingly.
What are the number of machines needed for a standard cluster?
Indexers (RF+) Cluster Master (1) Search Heads (1+)
What is the best practice for number of indexers in a cluster?
Do not set replication_factor = # of indexers
How should you use the org_cluster_master_base config?
set mode, RF, SF, pass4SymKey, cluster_label in the [clustering] stanza
- Example config in server.conf:
[clustering] Mode = master Replication_factor = 3 Search_factor = 2 pass4SymKey = 12345 Cluster_label = cluster1
How do you configure peer nodes?
Use org_cluster_search_base to configure cluster SH
Example config in server.conf [clustering] Mode = searchhead Master_uri = https://master:8089 pass4SymKey = 12345
How do you enable the search head that searches multiple clusters?
[clustering]
Mode = searchhead
Master_uri = clusternaster:one, clustermaster:two
[clustermater:one]
Master_uri = https://master:8089
pass4SymKey = 12345
[clustermaster:two]
master_uri = https://master2:8089
pass4SymKey = 67890
How do you gaurd against data loss on the forwarders to the indexers?
By enabling indexer discovery on forwarders.
- Must set unique pass4SymKey on server.conf in the [indexer_discovery] stanza on the CM
- Also set the pass4SymKey and master_uri in the outputs.conf of the forwarder.
- This allows the forwarder to know (from the indexer) that data has been received and processed.
What must all peers and the Cluster Master share?
The same set of indexes
What is the upgrade procedure?
- Clustermaster node
- Searchhead tier
License Master, DMC, etc.) - Indexer tier
What is the Maximum latency between CM and Indexers?
20 ms
What happens to an indexer in Detention?
An indexer in Detention (Manual or Automatic) will stop indexing data, but will still remain searchable
- Indexer in Manual detention will continue to index internal data
- ./splunk edit cluster-config -manual_detention on
How should you tune the indexer heartbeat interval?
one second for every 50k buckets
What is the Hot bucket lifecycle?
- The indexers notify the CM when a new hot bucket is minted.
- The CM replies with a list of streaming targets, for replication. This list is randomly chosen from the list of available indexers (generation), with enough to make sure we meet policy.
- Original indexer begins replicating data to target indexers.
What is the warm bucket lifecycle?
- The indexers notify the CM when a bucket rolls from hot to warm.
- The replication target is then notified that this bucket is complete, and the hot bucket will be rolled to warm on the target as well.
What is the frozen bucket lifecycle?
- In the case of an indexer cluster, when a peer freezes a copy of a bucket, it notifies the master. The master then stops doing fix-ups on that bucket. It operates under the assumption that the other peers will eventually freeze their copies of that bucket as well.
What is the benefit of putting an indexer that is almost out of disk space in manual detention?
It does not disable the indexer’s ability to participate in search, although it does disable the hosts ability to index.
How do you replace the Cluster Master?
No Failover capability
- Back up server.conf and /etc/master-apps
- Ensure communication is working
- Replace the master
Can you recover the contents of master-app from the clients?
Yes, it lives in $SPLUNK_HOME/var/run/splunk/cluster/remote-bundle on the indexers.
What are the steps, in order, to deploy the indexer cluster?
- Identify your requirements
- install the Splunk Enterprise instances
- Enable Clustering
- Complete Peer Node configuration
- Forward master node data to peer nodes
What is the preferred method to replace a Cluster Master Node?
Cloning is the preferred method as it allows for preparation/configuration of a new master before the failure event occurs.
