Indexer Clustering

Question 1

What is the reason for an automatic detention?

Answer 1

If disk space runs low (default <5 GB)

Question 2

Which features are disabled in a manual detention?

Answer 2

• Indexing (except internal)
• Data replication
• Inputs can be blocked if wished (not HEC)
• Continues to participate in searches

Question 3

Which features are enabled in automatic detention?

Answer 3

none, all indexing features are completely stopped

Question 4

Does the automatic detention mode recovers by itself?

Answer 4

Yes, if there is sufficient disk space (default > 5GB)

Question 5

What is a possible scenario for manual detention?

Answer 5

• Shift incoming data from a forwarder to another indexer
• To partially decommission an old indexer (but still use it for searches for existing data)
• Troubleshooting purpose

Question 6

When should the maintenance mode be activated?

Answer 6

Only for maintenance reason (eg updates, switch from single site to multi site etc.)

Question 7

What happens if a cluster is in maintenance mode?

Answer 7

It prevents the cluster from bucket fixup tasks and also from rolling buckets

Question 8

Which command puts the cluster into maintenance mode?

Answer 8

./splunk enable maintenance-mode

Question 9

What is the difference between ./splunk stop and ./splunk offline in a clustered environment ?

Answer 9

./splunk stop is not recommended in a clustered environment. With ./splunk offline the CM makes sure to re-assign or copy primary buckets to other peers to have at least a valid cluster. Once the CM finishes this task, the peer goes offline. The CM then waits for 60 seconds until the peer comes back (can be extended). If the peer does not come back, the CM starts bucket fixup activities to gain a complete cluster state.

Question 10

Which command decommissions a peer permanent?

Answer 10

/.splunk offline –enforce-counts

Question 11

What types of rebalancing does the cluster support?

Answer 11

Primary and data rebalancing

Question 12

What does primary rebalancing mean?

Answer 12

It means that the CM marks the primary buckets evenly to ensure that each peer has approx. the same number of primary copies. It does not copy the buckets, it just re-assigns the markers. There is no movement of buckets, and because of this limitation there will be never a perfect distribution of primary buckets. It automatically happens at the end of a rolling restart or if a new peer joins or re-joins. It also can be done through a REST call.

Question 13

Whats does data rebalancing mean?

Answer 13

Data rebalancing means to distribute the data storage evenly across all peers. It balances primary, searchable, non-searchable buckets so that each indexer has approx. the same amount of buckets. It does move buckets from one peer to another. The rebalance can be started through the GUI or through CLI or REST. You can set an attribute to make sure that searching is still possible (search-safe feature). An imbalance usually happens if a new peer joins the cluster or if a Forwarder does no distribute properly. Best practise is to perform a ‘remove excessive buckets’ task before a rebalancing to make sure that the process is efficient.

Command to perform a data rebalancing:
splunk rebalance cluster-data -action start [-searchable true] [-index index_name] [-max_runtime interval_in_minutes]

Question 14

What is the idea behind the ‘remove excessive buckets’ feature?

Answer 14

Lets assume a peer goes offline for longer, or there is a network outage and one indexer can not connect properly. The CM recognizes it since there is no hearbeat sent by the peer. The CM starts fixup activities to recover into a valid/complete state, means the CM re-assigns primary buckets and may copies buckets. Lets assume the indexer comes back. Now the picture looks different, since another peer took over the data which the missing peer held. Means, there is excessive data in the cluster. This has no negative impact on the cluster itself, but is consumes storage. This excessive buckets can be removed through this feature.

Question 15

List the migration procedure from a single site cluster to a multi site cluster

Answer 15

1) Breath
2) Make sure that the new servers meet the system requierements (CPU, RAM, storage, IOPS etc.)
3) Install all the new servers with Splunk Enterprise (same version)
4) Configure the CM with the new multi site configuration (do not delete single site policy)
5) Put the CM into maintenance mode
6) Configure all other new instances (SHs and IDXs) for multi-site (do not delete the single site config)
7) Disable maintenance mode, check log for errors and CM dashboard
8) If required, configure Forwarders for indexer discovery and site awareness

Question 16

How does the configuration looks like if you want to setup a CM initially for a single site environment with a rep factor of 2 and a search factor of 3 ?

Answer 16

./splunk edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret mysecret

Question 17

How does the configuration looks like if you want to setup an indexer initially for a single site environment with the replication port set to 9887 and a secret ‘mysecret’ ?

Answer 17

./splunk edit cluster-config -mode slave -master_uri https://cm:8089 -replication_port 9887 -secret mysecret

Question 18

How does the configuration looks like if you want to setup a searchhead initially to join the single site environment?

Answer 18

./splunk edit cluster-config -mode searchhead -master_uri https://cm:8089 -secret mysecret

Question 19

How about a CM failover scenario? How could that be realized?

Answer 19

A hot standby is not recommend. Instead, a cold standy (active/passive) works properly. A DNS based failover is a possible scenerio where the failover system has a clone of /opt/splunk/etc/master-apps and the [clustering] stanza from the server.conf. (be careful with hashed passwords)

Question 20

When does the CM blocks indexing and it needs to be unblocked with the ./splunk set indexing-ready command?

Answer 20

A site goes down and you later need to restart the master for any reason or the site with the master goes down and you bring up a stand-by master on another site. The reason for the blocking is that the CM needs to make sure to fullfil the replication factor. This does not occur when the CM is already running, the CM only checks after a restart.

Question 21

Where does the configuration bundle lives on a CM in a clustered environment?

Answer 21

$SPLUNK_HOME/var/run/splunk/cluster/remote_bundles

Question 22

What is the updating order in a clustered environment?

Answer 22

1. (MC)
2. CM (after upgrading CM, put it into maintenance mode to avoid bucket replication)
3. SH
4. IDX
5. If required, FWD too

Question 23

How does the replication work for indexes with accelerated data models or report acceleration?

Answer 23

By default, those indexes are not replicated. It is recommended to activate the replication on the CM through:

[clustering]
summary_replication = true

Question 24

Explain the different naming schema of buckets in a clustered environment

Answer 24

Buckets do have a different naming schema in a clustered environment.

Buckets beginning with db_XXXX_GUID are buckets from the originator.

Buckets beginning with rb_XXXX_GUID are replica buckets.

The GUID is always the GUID from the originator.

Question 25

What happens if the CM goes offline?

Answer 25

The cluster still operates, but new data may not replicate.

Question 26

What does site0 mean?

Answer 26

Its also known as the ‘magic site’. Usually a searchhead has a site configured in which they participate. If the site is set to 0, that means that the searchhead does not participate in any site anymore, it searches globally and search affinity is disabled.

Question 27

How does the CM/peers communicate?

Answer 27

Every communication in a cluster goes through REST endpoints (hearbeat, bucket status, generation etc.)

Question 28

Does the indexer discovery stanza on the CM requieres the same pass4SymmKey as in the clustering stanza?

Answer 28

No, those are different passwords. It is a different feature and the same password would introduce a security risk of breaking into the cluster.

Question 29

In which interval the SH polls the CM for a current list of indexers? (generations)

Answer 29

Default is set to 5s

Question 30

What is the default heartbeat send from an indexer to the CM ?

Answer 30

1s

Question 31

What is the default heartbeat timeout set on the CM?

Answer 31

60s

Question 32

How should the service_interval in the clustering stanze be tuned?

Answer 32

Raise it to one second for every 50k buckets (total)

Question 33

When should the heartbeat_period be tuned?

Answer 33

Tune this if you have lots of indexers (> 50) or lots of buckets (> 100k)

Question 34

Which bucket type acts different in terms of notifying the CM when it rolled?

Answer 34

The frozen bucket.

A roll from hot to warm and a roll from warm to cold both notify the CM replies with a list of streaming targets, for replication. This list is randomly chosen from the list of available indexers (generation), with enough to make sure we meet policy.

As for the frozen bucket, the peers notifies the CM but the CM does not replicate the change of state. The assumption is that the other indexers will freeze it themselves relatively soon. The only caveat to this is if one of the remaining copies is a searchable copy (and we froze the primary); in this instance, an already-existing searchable copy can be flagged primary

Question 35

How does the CM recognizes the primary and non-primary buckets?

Answer 35

Buckets do have a flag:

0x000000000 and 0xffffffff for non-primary and primary, respectively

The flags can be seen with the REST command:| rest /services/cluster/master/buckets

Question 36

Is it possible that buckets can have the same ID in a clustered environment? If yes, how does the CM makes sure to not mix up the data?

Answer 36

Buckets can have the same IDs. But the CM always uses not just the ID as reference, it uses the combination of ID and GUID to have unique values.

Question 37

What can you read out of the following search results? “index=_internal source=splunkd.log component=CMMaster event=addBucket”

Answer 37

If, where and when a new hot bucket was minted.

Question 38

How to recover the pass4SymmKey?

Answer 38

Splunk 7.2.2+

/opt/splunk/bin/splunk show-decrypted –value $hash

Question 39

Does buckets in a multi site cluster look different compared to single site buckets? If yes, what is the difference?

Answer 39

The look very similar, except that there is one difference. Multi site buckets now cointain a site marker (written in the journal.gz)

Question 40

If a search is performed, which buckets will be searched?

Answer 40

Only buckets who have a primary flag

Question 41

What will happen if you change the RF/SF in a clustered environment?

Answer 41

It will result in a fixup activity.
Raising RF = “lots of replica copies gone missing” Raising SF = “lots of searchable copies gone missing”

Reducing RF / SF = “copies have been made redundant”

Important: Always consider to re-calculculate the requiered disk storage for a change of the replication policy

Question 42

Can the internal Splunk replication task in a clustered environment be tuned?

Answer 42

Yes through the server.conf on the CM:
max_peer_rep_load
max_peer_build_load

Question 43

Can a searchhead search across different indexer cluster?

Answer 43

Yes, it is possible. In the clustering stanza on the CM you need to add another configuration for the other cluster

Question 44

What should be the maximum network latency between cluster peers?

Answer 44

<100ms.

Network latency should not exceed 100 milliseconds. Higher latencies can significantly slow indexing performance and hinder recovery from cluster node failures