Splunk 103

Question 1

What is Indexer Clustering?

Answer 1

Clustering is where multiple indexers are connected in order to maintain multiple identical copies of data. Clusters featuer “automatic failover”, which simply means when or if one indexer fails, the others will pick up the slack and maintain continuity in its activites.

This means:

• Data is protected from sudden loss
• More copies are available for users who are actively searching
• The above acitvities will continue even when an indexer goes down

Question 2

What determines the number of copies kept withint a cluster?

Answer 2

Replication Factor

Question 3

What is the Replciation Factor?

Answer 3

This determines how many copies are maintained within an indexer cluster.
Default RF is 3.

Question 4

What is the Search Factor?

Answer 4

This determines how many copies in the cluster are immediately searchable
Default SF is 2.

Question 5

What is the minimum amount of indexers that you have to have in cluster?

Answer 5

3

Question 6

What are components of a cluster?

Answer 6

Cluster Peer (Peer Node) 
Cluster Master (Master Node)

Question 7

What are Cluster Peers?

Answer 7

Peers are the indexers that are in the cluster. They recieve and index incoming data, and replicate it to other peers. They respond to incoming searches by supplying search results.

Question 8

What is Cluster Master?

Answer 8

It manages cluster activities (such as adding peers, distributing configurations, determining number of copies to maintaing)
It maintains memory of peers, their buckets and configs, and tells search heads where to request data

Question 9

How does distributed search work in the cluster?

Answer 9

Search head “asks” Master Node in which indexers it should should search for the data it is searching for, and then it accesses those indexers.

Question 10

What are benefits of clustering?

Answer 10

Data availability and fast recovery
Easier overall administration:
- Coordinated indexer configuration management
- Automatic distributed search set up
- Elastic indexer discovery
- Indexer health dashboard on Cluster Master
Scalability of Indexing
No additional license cost for data replication
Data fidelity
Data Resilency
Disaster Recovery
Search Affinity

Question 11

What are cons of clustering?

Answer 11

Increased storage requirements
Increased processing load (depends of RF and SF)
Requires additional Splunk instances:
Minimum: RF + CM + SH = # of insances required
REcommended: More than RF, and multiple SHs
Indexers require the same OS and versions
Requires cluster specific deployment management

Question 12

What are configuration bundles?

Answer 12

A set of configuration files and apps common to all peers.

Question 13

Where do configuration bundles reside on cluster master and cluster peer

Answer 13

Cluster Master:
$SPLUNK_HOME/etc/master-apps

Cluster Peer:
$SPLUNK_HOME/etc/slave-apps

Question 14

What are some of the configuration changes that require a restart?

Answer 14

Changes to indexes.conf, inputs,conf
Changes to a home path in indexes.conf
Dleeting an existing app

Question 15

What are some of the configuration changes that do not need a restart?

Answer 15

Adding a new index or a new app with reloadable configs

Changes or additions to transforms.conf or props.conf

Question 16

Through which port do peers communicate with?

Answer 16

With replication port: 8080

Question 17

Through which port does master node, search head, and peers communicate?

Answer 17

Through management port: 8089

Question 18

Through which port does forwarder push data to indexers?

Answer 18

Through 9997 port (recieving port)

Question 19

To participate in the indexecr cluster, all nodes, including the search head must use the same…

Answer 19

pass4SymmKey

Question 20

What is the best practice for setting up cluster master/deployment server architectures?

Answer 20

DS ———-> CM ———> INDEXING CLUSTER

Question 21

What is search affinity?

Answer 21

The ability to configure a multisite indexer cluster so that each search head gets its search results from peer nodes on its local site only, as long as the site is valid. Search affinity has the benefit of reducing network traffic while still providing access to the full set of data.

Question 22

What is a multisite indexer cluster?

Answer 22

An indexer cluster that spans multiple physical sites, such as data centers. Each site has its own set of peer nodes and search heads. Each site also obeys site-specific replication and search factor rules.

Question 23

Name the 5 pros of indexer clustering

Answer 23

• Data Availability
• Data Fidelity
• Data resilency
• Disaster Recovery
• Search Affinity

Question 24

What is Data Availbility in Splunk?

Answer 24

..

Question 25

What is Data Fidelity?

Answer 25

This term is used to define when data is transmitted from one sensor node to another, retains its actual meaning and granularity.

Question 26

What is Data Resliency

Answer 26

Data Resiliency
The term “data resiliency” refers to data’s ability to “spring back” in situations where it is compromised. In the cloud, data is resilient because it can be stored in a number of different locations. No one location is better than the other, availability is just improved by the more places data is stored, specifically in the event a location goes down or the data becomes corrupted. Users have access to data so long as the location they are storing their data at is accessible and the data isn’t compromised. If the one location goes down, users are directed to the second location. If all locations go down, then the organization no longer has access to its data.

Comparable to having keys to one’s house… The more keys you have, the less likely you are to get locked out. Hiding a key outside and keeping one hooked on your key chain assure higher resiliency. If you lose your keys or a key breaks, you can go use your hidden key outside. If you lose all the keys to your house, then you aren’t able to get in.

Resiliency is the ability of a server, network, storage system, or an entire data center, to recover quickly and continue operating even when there has been an equipment failure, power outage or other disruption.