Splunk-7 2 1-Indexer
Splunk-7 2 1-Indexer
Splunk-7 2 1-Indexer
Manage indexes.................................................................................................14
About managing indexes...........................................................................14
Create custom indexes.............................................................................15
Remove indexes and indexed data...........................................................25
Manage pipeline sets for index parallelization..........................................30
Optimize indexes.......................................................................................33
Use the monitoring console to view indexing performance.......................34
i
Table of Contents
Deploy the indexer cluster..............................................................................108
Indexer cluster deployment overview......................................................108
Key differences between clustered and non-clustered deployments
of indexers..............................................................................................112
System requirements and other deployment considerations for
indexer clusters......................................................................................114
Enable the indexer cluster master node..................................................122
Enable the peer nodes............................................................................124
Enable the search head..........................................................................126
Best practice: Forward master node data to the indexer layer................128
Prepare the peers for index replication...................................................129
Use indexer clusters to scale indexing....................................................130
Migrate non-clustered indexers to a clustered environment...................131
Upgrade an indexer cluster.....................................................................135
Use rolling upgrade.................................................................................151
ii
Table of Contents
Configure the peers
Configure peer nodes with the CLI..........................................................194
Manage common configurations across all peers...................................195
Manage app deployment across all peers..............................................197
Configure the peer indexes in an indexer cluster....................................198
Update common peer configurations and apps......................................201
Manage configurations on a peer-by-peer basis.....................................216
iii
Table of Contents
Manage the indexer cluster
Remove a peer from the master's list......................................................309
Deploy SmartStore...........................................................................................363
SmartStore system requirements............................................................363
Configure the remote store for SmartStore.............................................365
Choose the storage location for each index............................................366
SmartStore security strategies................................................................367
Deploy SmartStore on a new indexer cluster..........................................370
Migrate existing data on an indexer cluster to SmartStore.....................374
Bootstrap SmartStore indexes onto an indexer cluster...........................382
iv
Table of Contents
Manage SmartStore.........................................................................................385
Configure SmartStore.............................................................................385
Configure the SmartStore cache manager..............................................390
Configure data retention for SmartStore indexes....................................394
Add a SmartStore index..........................................................................397
Troubleshoot SmartStore........................................................................398
v
Indexing overview
The index is the repository for Splunk Enterprise data. Splunk Enterprise
transforms incoming data into events, which it stores in indexes.
Indexes
As Splunk Enterprise indexes your data, it creates a number of files. These files
fall into two main categories:
Together, these files constitute the Splunk Enterprise index. The files reside in
sets of directories organized by age. These directories are called buckets. See
How Splunk Enterprise stores indexes.
Splunk Enterprise manages its indexes to facilitate flexible searching and fast
data retrieval, eventually archiving them according to a user-configurable
schedule. Splunk Enterprise handles everything with flat files; it doesn't require
any third-party database software running in the background.
1
To start indexing, you simply specify the data inputs that you want Splunk
Enterprise to index. You can add more inputs at any time, and Splunk Enterprise
will begin indexing them as well. See What Splunk Enterprise can index in
Getting Data In to learn how to add data inputs.
Splunk Enterprise, by default, puts all user data into a single, preconfigured
index. It also employs several other indexes for internal purposes. You can add
new indexes and manage existing ones to meet your data requirements. See
Manage indexes.
Event processing
Getting Data In describes how to configure event processing to meet the needs
of your data. See Overview of event processing.
Index types
2
There are minimal differences in how indexers process and manage the two
index types. Despite its name, event processing occurs in the same sequence for
both events and metrics indexes. Metrics data is really just a highly structured
kind of event data.
Indexers
The indexer is the Splunk Enterprise component that creates and manages
indexes. The primary functions of an indexer are:
For larger-scale needs, indexing is split out from the data input function and
sometimes from the search management function as well. In these larger,
distributed deployments, the Splunk Enterprise indexer might reside on its own
machine and handle only indexing, along with searching of its indexed data. In
those cases, other Splunk Enterprise components take over the non-indexing
roles. Forwarders consume the data, indexers index and search the data, and
search heads coordinate searches across the set of indexers. Here's an
example of a scaled-out deployment:
3
For more information on using indexers in a distributed deployment, see Indexers
in a distributed deployment.
Indexer clusters
Indexer clusters feature automatic failover from one peer node to the next. This
means that, if one or more peers fail, incoming data continues to get indexed and
indexed data continues to be searchable.
The first part of this manual contains configuration and management information
relevant for all indexers, independent of whether they are part of a cluster. The
4
second part of this manual, starting with the topic About indexer clusters and
index replication, is relevant only for clusters.
The indexing process follows the same sequence of steps for both events
indexes and metrics indexes.
Data enters the indexer and proceeds through a pipeline where event
processing occurs. Finally, the processed data it is written to disk. This pipeline
consists of several shorter pipelines that are strung together. A single instance of
this end-to-end data pipeline is called a pipeline set.
Event processing occurs in two main stages, parsing and indexing. All data that
comes into Splunk Enterprise enters through the parsing pipeline as large
(10,000 bytes) chunks. During parsing, Splunk Enterprise breaks these chunks
into events which it hands off to the indexing pipeline, where final processing
occurs.
• Extracting a set of default fields for each event, including host, source,
and sourcetype.
• Configuring character set encoding.
• Identifying line termination using linebreaking rules. While many events
are short and only take up a line or two, others can be long.
• Identifying timestamps or creating them if they don't exist. At the same
time that it processes timestamps, Splunk identifies event boundaries.
• Splunk can be set up to mask sensitive event data (such as credit card or
social security numbers) at this stage. It can also be configured to apply
custom metadata to incoming events.
5
• Breaking all events into segments that can then be searched upon. You
can determine the level of segmentation, which affects indexing and
searching speed, search capability, and efficiency of disk compression.
• Building the index data structures.
• Writing the raw data and index files to disk, where post-indexing
compression occurs.
Note: The term "indexing" is also used in a more general sense to refer to the
entirety of event processing, encompassing both the parsing pipeline and the
indexing pipeline. The differentation between the parsing and indexing pipelines
is of relevance mainly when deploying heavy forwarders.
Heavy forwarders can run raw data through the parsing pipeline and then forward
the parsed data on to indexers for final indexing. Universal forwarders do not
parse data in this way. Instead, universal forwarders forward the raw data to the
indexer, which then processes it through both pipelines.
For more information about events and how the indexer transforms data into
events, see the chapter Configure event processing in Getting Data In.
6
Note: This diagram represents a simplified view of the indexing architecture. It
provides a functional view of the architecture and does not fully describe Splunk
Enterprise internals. In particular, the parsing pipeline actually consists of three
pipelines: parsing, merging, and typing, which together handle the parsing
function. The distinction can matter during troubleshooting, but does not
generally affect how you configure or deploy Splunk Enterprise.
For a more detailed discussion of the data pipeline and how it affects deployment
decisions, see How data moves through Splunk Enterprise: the data pipeline in
Distributed Deployment.
What's in an index?
7
$SPLUNK_HOME/var/lib/splunk. Indexes consist of two types of files: rawdata
files and index files. See How Splunk Enterprise stores indexes.
• main: This is the default Splunk Enterprise index. All processed data is
stored here unless otherwise specified.
• _internal: Stores Splunk Enterprise internal logs and processing metrics.
• _audit: Contains events related to the file system change monitor,
auditing, and all user search history.
A Splunk Enterprise administrator can create new indexes, edit index properties,
remove unwanted indexes, and relocate existing indexes. Splunk Enterprise
administrators manage indexes through Splunk Web, the CLI, and configuration
files such as indexes.conf. See Managing indexes.
If you neglect to create the custom source types and hosts until after you have
begun to index data, your choice is either to re-index the data, in order to apply
the custom source types and hosts to the existing data, as well as to new data,
or, alternatively, to manage the issue at search time by tagging the events with
alternate values.
8
enlarged by the additional fields, and a search on a larger index takes longer.
You can avoid such performance issues by instead relying on search-time field
extraction. For details on search-time field extraction, see About fields and When
Splunk Enterprise extracts fields in the Knowledge Manager Manual.
At index time
Index-time processes take place between the point when the data is consumed
and the point when it is written to disk.
At search time
Search-time processes take place while a search is run, as events are collected
by the search. The following processes occur at search time:
The data pipeline provides a more detailed way to think about the progression of
data through the system. The data pipeline is particularly useful for
understanding how to assign configurations and work across a distributed
9
deployment. See How data moves through Splunk: the data pipeline in
Distributed Deployment.
Install an indexer
All full Splunk Enterprise instances serve as indexers by default. To learn how to
install a Splunk Enterprise instance, read the Installation Manual. Then return to
this manual to learn how to configure the indexer.
If you plan to deploy an indexer in a distributed deployment, next read the topic,
Indexers in a distributed environment.
The indexer is the Splunk Enterprise component that creates and manages
indexes. The primary functions of an indexer are:
For larger-scale needs, indexing is split out from the data input function and
sometimes from the search management function as well. In these larger,
distributed deployments, the indexer might reside on its own machine and handle
only indexing, along with searching of its indexed data. In those cases, other
Splunk Enterprise components take over the non-indexing roles.
For instance, you might have a set of Windows and Linux machines generating
events, which need to go to a central indexer for consolidation. Usually the best
way to do this is to install a lightweight instance of Splunk Enterprise, known as a
forwarder, on each of the event-generating machines. These forwarders handle
data input and send the data across the network to the indexer residing on its
own machine.
10
Similarly, in cases where you have a large amount of indexed data and
numerous concurrent users searching on it, it can make sense to split off the
search management function from indexing. In this type of scenario, known as
distributed search, one or more search heads distribute search requests
across multiple indexers. The indexers still perform the actual searching of their
own indexes, but the search heads manage the overall search process across all
the indexers and present the consolidated search results to the user.
While the fundamental issues of indexing and event processing remain the same
for distributed deployments, it is important to take into account deployment needs
when planning your indexing strategy.
To forward remote data to an indexer, you use forwarders, which are Splunk
Enterprise instances that receive data inputs and then consolidate and send the
data to a Splunk Enterprise indexer. Forwarders come in two flavors:
11
receiving indexer. (See How indexing works for the distinction between
parsing and indexing.) They can store indexed data locally and also
forward the parsed data to a receiver for final indexing on that machine as
well.
Both types of forwarders tag data with metadata such as host, source, and
source type, before forwarding it on to the indexer.
In distributed search, search heads send search requests to indexers and then
merge the results back to the user. This is useful for a number of purposes,
including horizontal scaling, access control, and managing geo-dispersed data.
Indexer clusters also use search heads to coordinate searches across the
cluster's peer nodes. See About indexer clusters and index replication.
• Indexers
• Forwarders (typically, universal forwarders)
• Search head(s)
By default, all full Splunk Enterprise instances serve as indexers. For horizontal
scaling, you can install multiple indexers on separate machines.
To learn how to install a Splunk Enterprise instance, read the Installation Manual.
12
Then return to this manual for information on configuring each individual indexer
to meet the needs of your specific deployment.
You can install one or more search heads to handle your distributed search
needs. Search heads are just full Splunk Enterprise instances that have been
specially configured.
You can use the Splunk Enterprise deployment server to simplify the job of
updating the deployment components. For details on how to configure a
deployment server, see Updating Splunk Enterprise Instances.
If data availability, data fidelity, and data recovery are key issues for your
deployment, then you should consider deploying an indexer cluster, rather than a
series of individual indexers. For further information, see About indexer clusters
and index replication.
13
Manage indexes
• main: The default Splunk Enterprise index. All processed external data is
stored here unless otherwise specified.
• _internal: This index includes Splunk Enterprise internal logs and metrics.
• _audit: Events from the file system change monitor, auditing, and all user
search history.
A number of topics in this manual describe ways you can manage your indexes.
In particular, the following topics are helpful in index management:
Index types
14
• Events indexes. Events indexes impose minimal structure and can
accommodate any type of data, including metrics data. Events indexes are
the default index type.
• Metrics indexes. Metrics indexes use a highly structured format to handle
the higher volume and lower latency demands associated with metrics
data. Putting metrics data into metrics indexes results in faster
performance and less use of index storage, compared to putting the same
data into events indexes. For information on the metrics format, see the
Metrics manual.
There are minimal differences in how indexers handle the two index types. Any
differences that do exist are described in the relevant topic.
• Events indexes
• Metrics indexes
Events indexes are the default index type. To create events indexes, see Create
events indexes.
To create metrics indexes, see Create metrics indexes. For general information
on metrics indexes, see the Metrics manual, starting with Overview of metrics.
The main index, by default, holds all your events. It also serves as the default
index for any inputs or search commands that don't specify an index, although
15
you can change the default.
With a Splunk Enterprise license, you can add an unlimited number of additional
indexes. You can add indexes using Splunk Web, the CLI, or indexes.conf.
The main reason you'd set up multiple indexes is to control user access to the
data that's in them. When you assign users to roles, you can limit user searches
to specific indexes based on the role they're in.
In addition, if you have different policies for retention for different sets of data,
you might want to send the data to different indexes and then set a different
archive or retention policy for each index.
Another reason to set up multiple indexes has to do with the way search works. If
you have both a high-volume/high-noise data source and a low-volume data
source feeding into the same index, and you search mostly for events from the
low-volume data source, the search speed will be slower than necessary,
because the indexer also has to search through all the data from the high-volume
source. To mitigate this, you can create dedicated indexes for each data source
and send data from each source to its dedicated index. Then, you can specify
which index to search on. You'll probably notice an increase in search speed.
You can create events indexes with Splunk Web, the CLI, or by editing
indexes.conf directly.
16
Note: To add a new index to an indexer cluster, you must directly edit
indexes.conf. You cannot add an index via Splunk Web or the CLI. For
information on how to configure indexes.conf for clusters, see Configure the
peer indexes in an indexer cluster. That topic includes an example of creating a
new cluster index.
• A name for the index. User-defined index names must consist of only
numbers, lowercase letters, underscores, and hyphens. They cannot
begin with an underscore or hyphen, or contain the word "kvstore".
• The index data type. For event data, click Events. This is the default data
type.
• The path locations for index data storage:
♦ Home path. Leave blank for default $SPLUNK_DB/<index_name>/db
♦ Cold path. Leave blank for default
$SPLUNK_DB/<index_name>/colddb
♦ Thawed path. Leave blank for default
$SPLUNK_DB/<index_name>/thaweddb
• Enable/disable data integrity check.
• The maximum size of the entire index. Defaults to 500000MB.
• The maximum size of each index bucket. When setting the maximum size,
use auto_high_volume for high volume indexes (such as the main index);
otherwise, use auto.
• The frozen archive path. Set this field if you want to archive frozen
buckets. For information on bucket archiving, see Archive indexed data.
• The app in which the index resides.
• The tsidx retention policy. See Reduce tsidx usage.
3. Click Save.
You can edit an index by clicking on the index name in the Indexes section of the
Settings menu in Splunk Web. Properties that you cannot change in Splunk Web
are grayed out. To change those properties, edit indexes.conf, then restart the
indexer.
17
Note: Some index properties are configurable only by editing the indexes.conf
file. Check the indexes.conf topic for a complete list of properties.
Navigate to the $SPLUNK_HOME/bin/ directory and use the add index command.
You do not need to stop the indexer first.
If you do not want to use the default path for your new index, you can use
parameters to specify a new location:
Edit indexes.conf
[newindex]
homePath=<path for hot and warm buckets>
coldPath=<path for cold buckets>
thawedPath=<path for thawed buckets>
...
For information on index settings, see Configure index storage and the
indexes.conf spec file.
18
Note: User-defined index names must consist of only numbers, lowercase
letters, underscores, and hyphens. They cannot begin with an underscore or
hyphen, or contain the word "kvstore".
By default, all external events go to the index called main. However, you might
want to send some events to other indexes. For example, you might want to
route all data from a particular input to its own index. Or you might want to
segment data or send event data from a noisy source to an index that is
dedicated to receiving it.
Important: To send events to a specific index, the index must already exist on
the indexer. If you route any events to an index that doesn't exist, the indexer will
drop those events.
To send all events from a particular data input to a specific index, add the
following line to the input's stanza in inputs.conf on the Splunk Enterprise
component where the data is entering the system: either the indexer itself or a
forwarder sending data to the indexer:
index = <index_name>
The following example inputs.conf stanza sends all data from /var/log to an
index named fflanda:
[monitor:///var/log]
disabled = false
index = fflanda
Route specific events to a different index
Just as you can route events to specific queues, you can also route specific
events to specific indexes. You configure this on the indexer itself, not on the
forwarder sending data to the indexer, if any.
19
To route certain events to a specific index, edit props.conf and transforms.conf
on the indexer:
1. Identify a common attribute for the events that can be used to differentiate
them.
2. In props.conf, create a stanza for the source, source type, or host. This
stanza specifies a transforms_name that corresponds to a regex-containing
stanza you will create in transforms.conf.
The sections below fill out the details for steps 2 and 3.
Edit props.conf
[<spec>]
TRANSFORMS-<class_name> = <transforms_name>
Note the following:
Edit transforms.conf
20
[<transforms_name>]
REGEX = <your_custom_regex>
DEST_KEY = _MetaData:Index
FORMAT = <alternate_index_name>
Note the following:
Example
1. Identify an attribute
21
Audit WEB1 Privilege Use
Special privileges assigned to new logon: User Name: Domain:
Logon
ID: (0x0,0x4F3C5880) Assigned: SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege SeChangeNotifyPrivilege
SeAssignPrimaryTokenPrivilege 525
Some events contain the value "Application", while others contain the value
"Security" in the same location.
2. Edit props.conf
[windows_snare_syslog]
TRANSFORMS-index = AppRedirect
This directs events of windows_snare_syslog sourcetype to the AppRedirect
stanza in transforms.conf.
3. Edit transforms.conf
[AppRedirect]
REGEX = MSWinEventLog\s+\d+\s+Application
DEST_KEY = _MetaData:Index
FORMAT = applogindex
This stanza processes the events directed here by props.conf. Events that
match the regex (because they contain the string "Application" in the specified
location) get routed to the alternate index, "applogindex". All other events route
as usual to the default index.
When the indexer searches, it targets the default index (by default, main), unless
the search explicitly specifies an index. For example, this search command
searches in the hatch index:
index=hatch userid=henry.gale
You can also specify an alternate default index for a given role to search when
you create or edit that role.
22
Create metrics indexes
You can create metrics indexes with Splunk Web, the CLI, the REST API, or by
editing indexes.conf directly. For more about metrics, see Overview of metrics in
the Metrics manual.
23
Use the REST API
For example, to create a metrics index called mymetricsindex, enter the following
command:
curl -k -u admin:pass
https://localhost:8089/services/data/indexes?datatype=metric
To list all indexes, including events indexes, enter the following command:
curl -k -u admin:pass
https://localhost:8089/services/data/indexes?datatype=all
Edit indexes.conf
[mymetricsindex]
homePath=<path for hot and warm buckets>
coldPath=<path for cold buckets>
thawedPath=<path for thawed buckets>
datatype = metric
...
For information on index settings, see Configure index storage and the
indexes.conf spec file.
24
For information on adding or editing index configurations on cluster nodes, see
Configure the peer indexes in an indexer cluster.
Caution: Removing data is irreversible. If you want to get your data back once
you've removed data using any of the techniques described in this topic, you
must re-index the applicable data sources.
The Splunk search language provides the special command delete to delete
event data from subsequent searches. Before using delete , read this section
carefully.
The delete command is available only with events indexes. You cannot use it
with metrics indexes
Note: You cannot run the delete command during a real-time search; you
cannot delete events as they come in. If you try to use delete during a real-time
search, Splunk Enterprise will display an error.
The delete command can only be run by a user with the "delete_by_keyword"
capability. By default, Splunk Enterprise ships with a special role, "can_delete"
that has this capability (and no others). The admin role does not have this
capability by default. It's recommended that you create a special user that you
log into when you intend to delete index data.
For more information, refer to Add and edit roles in Securing Splunk Enterprise.
25
How to delete
First run a search that returns the events you want deleted. Make sure that this
search returns only the events you want to delete, and no other events. Once
you're certain of that, you can pipe the results of the search to the delete
command.
For example, if you want to remove the events you've indexed from a source
called /fflanda/incoming/cheese.log so that they no longer appear in searches,
do the following:
source="/fflanda/incoming/cheese.log"
3. Look at the results to confirm that this is the data you want to delete.
4. Once you've confirmed that this is the data you want to delete, pipe the search
to delete:
source="/fflanda/incoming/cheese.log" | delete
See the page about the delete command in the Search Reference Manual for
more examples.
Note: When running Splunk on Windows, substitute the forward slashes (/) in the
examples with backslashes (\).
Piping a search to the delete command marks all the events returned by that
search so that subsequent searches do not return them. No user (even with
admin permissions) will be able to see this data when searching.
Note: Piping to delete does not reclaim disk space. The data is not actually
removed from the index; it is just invisible to searches.
The delete command does not update the metadata of the events, so any
metadata searches will still include the events although they are not searchable.
The main All indexed data dashboard will still show event counts for the deleted
sources, hosts, or sourcetypes.
26
The delete operation and indexer clusters
In the normal course of index replication, the effects of a delete operation get
quickly propagated across all bucket copies in the cluster, typically within a few
seconds or minutes, depending on the cluster load and amount of data and
buckets affected by the delete operation. During this propagation interval, a
search can return results that have already been deleted.
Also, if a peer that had primary bucket copies at the time of the delete operation
goes down before all the results have been propagated, some of the deletes will
be lost. In that case, you must rerun the operation after the primary copies from
the downed peer have been reassigned.
To delete indexed data permanently from your disk, use the CLI clean command.
This command completely deletes the data in one or all indexes, depending on
whether you provide an <index_name> argument. Typically, you run clean before
re-indexing all your data.
27
Important: You must stop the indexer before you run the clean command.
Examples
splunk stop
splunk clean eventdata
This example removes data from the _internal index and forces Splunk to skip
the confirmation prompt:
splunk stop
splunk clean eventdata -index _internal -f
Remove an index entirely
To remove an index entirely (and not just the data contained in it), use the CLI
command remove index:
Before running the command, look through all inputs.conf files (on your indexer
and on any forwarders sending data to the indexer) and make sure that none of
the stanzas are directing data to the index you plan to delete. In other words, if
you want to delete an index called "nogood", make sure the following
attribute/value pair does not appear in any of your input stanzas: index=nogood.
Once the index has been deleted, the indexer will discard any data still being
sent to that index.
When you run remove index, it first warns you if any of the inputs on the indexer
(but not on any forwarders) are still configured to send data to the specified
index. You'll see a message like this:
28
03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - Events from the
following 3 inputs will now be discarded, since they had targeted
index=zzz:
03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - type: monitor,
id: /home/v/syslog-avg-1000-lines
03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - type: monitor,
id: /mnt/kickstart/internal/fermi
03-28-2012 23:59:22.973 -0700 WARN IndexAdminHandler - type: monitor,
id: /mnt/kickstart/internal/flights
You can run remove index while splunkd is running. You do not need to restart
splunkd after the command completes.
The index deletion process is ordinarily fast, but the duration depends on several
factors:
Use the disable index CLI command to disable an index without deleting it:
You can also disable an index in Splunk Web. To do this, navigate to Settings >
Indexes and click Disable to the right of the index you want to disable.
When data in an index reaches a specified age or when the index grows to a
specified size, it rolls to the "frozen" state, at which point the indexer deletes it
from the index. Just before deleting the data, the indexer can move it to an
archive, depending on how you configure your retirement policy.
29
Manage pipeline sets for index parallelization
Index parallelization is a feature that allows an indexer to maintain multiple
pipeline sets. A pipeline set handles the processing of data from ingestion of
raw data, through event processing, to writing the events to disk. A pipeline set is
one instance of the processing pipeline described in How indexing works.
By default, an indexer runs just a single pipeline set. However, if the underlying
machine is under-utilized, in terms of available cores and I/O both, you can
configure the indexer to run two pipeline sets. By running two pipeline sets, you
potentially double the indexer's indexing throughput capacity.
To summarize, these are some typical use cases for index parallelization,
dependent on available machine resources:
For a better understanding of the use cases and to determine whether your
deployment can benefit from multiple pipeline sets, see Parallelization settings in
the Capacity Planning Manual.
Note: You cannot use index parallelization with multiple pipeline sets for metrics
data that is received from a UDP data input. If your system uses multiple pipeline
sets, use a TCP or HTTP Event Collector data input for metrics data. For more
about metrics, see the Metrics manual.
Caution: Before you increase the number of pipeline sets from the default of
one, be sure that your indexer can support multiple pipeline sets. Read
Parallelization settings in the Capacity Planning Manual. In addition, consult with
Professional Services, particularly if you want to increase the number of pipeline
sets beyond two.
30
To set the number of pipeline sets to two, change the
parallelIngestionPipelines attribute in the [general] stanza of server.conf:
parallelIngestionPipelines = 2
You must restart the indexer for the change to take effect.
Unless Professional Services advises otherwise, limit the number of pipeline sets
to a maximum of 2.
When you implement two pipeline sets, you have two complete processing
pipelines, from the point of data ingestion to the point of writing events to disk.
The pipeline sets operate independently of each other, with no knowledge of
each other's activities. The effect is essentially the same as if each pipeline set
was running on its own, separate indexer.
Each data input goes to a single pipeline. For example, if you are directly
ingesting a file, the entire file will get processed through a single pipeline. The
pipelines do not share the file's data.
When a data input enters the indexer, it can enter either of the pipeline sets. The
indexer uses round-robin load balancing to allocate new inputs across its pipeline
sets.
Some indexing settings are scoped to pipeline sets. These include any settings
that are related to a pipeline, processor or queue. Examples of these include
max_fd and maxKBps in limits.conf and maxHotBuckets in indexes.conf.
If you have multiple pipeline sets, these limits apply to each pipeline set
individually, not to the indexer as a whole. For example, each pipeline set is
separately subject to the maxHotBuckets limit. If you set maxHotBuckets to 4, each
pipeline set is allowed a maximum of four hot buckets at a time, for a total of
eight on an indexer with two pipeline sets.
31
Forwarders and multiple pipeline sets
You can also configure forwarders to run multiple pipeline sets. Multiple pipeline
sets increase forwarder throughput and allow the forwarder to process multiple
inputs simultaneously.
This can be of particular value, for example, when a forwarder needs to process
a large file that would occupy the pipeline for a long period of time. With just a
single pipeline, no other files can be processed until the forwarder finishes the
large file. With two pipeline sets, the second pipeline can ingest and forward
smaller files quickly, while the first pipeline continues to process the large file.
Assuming that the forwarder has sufficient resources and depending on the
nature of the incoming data, a forwarder with two pipelines can potentially
forward twice as much data as a forwarder with one pipeline.
When you enable multiple pipeline sets on a forwarder, each pipeline handles
both data input and output. In the case of a heavy forwarder, each pipeline also
handles parsing.
The forwarder uses round-robin load balancing to allocate new inputs across its
pipeline sets.
The forwarder forwards the output streams independently of each other. If the
forwarder is configured for load balancing, it load balances each output stream
separately. The receiving indexer handles each stream coming from the
forwarder separately, as if each stream were coming from a different forwarder.
Note: The pipeline sets on forwarders and indexers are entirely independent of
each other. For example, a forwarder with multiple pipeline sets can forward to
any indexer, no matter whether the indexer has one pipeline set or two. The
forwarder does not know the pipeline configuration on the indexer, and it does
not need to know it. Similarly, an indexer with multiple pipeline sets can receive
data from any forwarder, no matter how many pipeline sets the forwarder has.
You configure the number of pipeline sets for forwarders in the same way as for
indexers, with the parallelIngestionPipelines attribute in the [general] stanza
of server.conf.
32
For heavy forwarders, the indexer guidelines apply: The underlying machine
must be significantly under-utilized. You should generally limit the number of
pipeline sets to two and consult with Professional Services. See Parallelization
settings in the Capacity Planning Manual.
For universal forwarders, a single pipeline set uses, on average, around 0.5 of a
core, but utilization can reach a maximum of 1.5 cores. Therefore, two pipeline
sets will use between 1.0 and 3.0 cores. If you want to configure more than two
pipeline sets on a universal forwarder, consult with Professional Services first.
Optimize indexes
While the indexer is indexing data, one or more instances of the splunk-optimize
process will run intermittently, merging index files together to optimize
performance when searching the data. The splunk-optimize process can use a
significant amount of cpu but only briefly. You can reduce the number of
concurrent instances of splunk-optimize by changing the value of
maxConcurrentOptimizes in indexes.conf, but this is not typically necessary.
splunk-optimize runs only on hot buckets. You can run it on warm buckets
manually, if you find one with a larger number of index (.tsidx) files; typically,
more than 25. To run splunk-optimize, go to $SPLUNKHOME/bin and type:
splunk-optimize
To enable verbose logging from splunk-optimize to splunkd.log, you can set
category.SplunkOptimize in log.cfg to INFO or DEBUG. The recommended
way to do this is through the CLI:
33
Use the monitoring console to view indexing
performance
You can use the monitoring console to monitor most aspects of your deployment.
This topic discusses the console dashboards that provide insight into indexing
performance.
• Indexing rate
• Queue fill ratios
• CPU information for various parts of the data pipeline
View the dashboards themselves for more information. In addition, see Indexing
performance dashboards in Monitoring Splunk Enterprise.
34
Manage index storage
Together, these files constitute the Splunk Enterprise index. The files reside in
sets of directories organized by age. Some directories contain newly indexed
data; others contain previously indexed data. The number of such directories can
grow quite large, depending on how much data you're indexing.
You might not care, actually. The indexer handles indexed data by default in a
way that gracefully ages the data through several states. After a long period of
time, typically several years, the indexer removes old data from your system. You
might well be fine with the default scheme it uses.
However, if you're indexing large amounts of data, have specific data retention
requirements, or otherwise need to carefully plan your aging policy, you've got to
read this topic. Also, to back up your data, it helps to know where to find it. So,
read on....
• hot
• warm
• cold
35
• frozen
• thawed
As buckets age, they "roll" from one state to the next. As data is indexed, it goes
into a hot bucket. Hot buckets are both searchable and actively being written to.
An index can have several hot buckets open at a time.
When certain conditions occur (for example, the hot bucket reaches a certain
size or splunkd gets restarted), the hot bucket becomes a warm bucket ("rolls to
warm"), and a new hot bucket is created in its place. Warm buckets are
searchable, but are not actively written to. There are many warm buckets.
Once further conditions are met (for example, the index reaches some maximum
number of warm buckets), the indexer begins to roll the warm buckets to cold,
based on their age. It always selects the oldest warm bucket to roll to cold.
Buckets continue to roll to cold as they age in this manner. After a set period of
time, cold buckets roll to frozen, at which point they are either archived or
deleted. By editing attributes in indexes.conf, you can specify the bucket aging
policy, which determines when a bucket moves from one state to the next.
If the frozen data has been archived, it can later be thawed. Thawed data is
available for searches.
Bucket
Description Searchable?
state
Contains newly indexed data.
Hot Open for writing. One or more hot Yes
buckets for each index.
Data rolled from hot. There are
Warm many warm buckets. Data is not Yes
actively written to warm buckets.
Data rolled from warm. There are
Cold Yes
many cold buckets.
Data rolled from cold. The indexer
deletes frozen data by default, but
Frozen you can choose to archive it No
instead. Archived data can later
be thawed.
Thawed Yes
36
Data restored from an archive. If
you archive frozen data, you can
later return it to the index by
thawing it.
The collection of buckets in a particular state is sometimes referred to as a
database or "db": the "hot db", the "warm db", the "cold db", etc.
The buckets themselves are subdirectories within those directories. The bucket
directory names are based on the age of the data.
Bucket
Default location Notes
state
There can be
multiple hot
subdirectories,
one for each
Hot $SPLUNK_HOME/var/lib/splunk/defaultdb/db/*
hot bucket.
See Bucket
naming
conventions.
There are
separate
subdirectories
Warm $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* for each warm
bucket. See
Bucket naming
conventions.
Cold $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/* There are
multiple cold
subdirectories.
When warm
buckets roll to
37
cold, they get
moved into this
directory, but
are not
renamed.
Deletion is the
default; see
Archive
N/A: Frozen data gets deleted or archived into a indexed data
Frozen
directory location you specify. for information
on how to
archive the
data instead.
Location for
data that has
been archived
and later
thawed. See
Restore
Thawed $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/*
archived data
for information
on restoring
archived data
to a thawed
state.
The paths for the hot/warm, cold, and thawed directories are configurable, so, for
example, you can store cold buckets in a separate location from hot/warm
buckets. See Configure index storage and Use multiple partitions for index data.
For indexes eanbled with the SmartStore feature, which places data on a remote
store such as S3, the cold state does not ordinarily exist. See Bucket states and
SmartStore.
38
Bucket naming conventions
Non-clustered buckets
Clustered buckets
As data is written to the hot copy, the source peer streams copies of the hot data,
in blocks, to other indexers in the cluster. These indexers are referred to as the
target peers for the bucket. The copies of the streamed data on the target peers
are known as replicated copies of the bucket.
When the source peer rolls its originating hot bucket to warm, the target peers
roll their replicated copies of that bucket. The warm copies are exact replicas of
each other.
Bucket names
39
Bucket type Hot bucket Warm/cold/thawed bucket
Non-clustered hot_v1_<localid> db_<newest_time>_<oldest_time>_<localid>
Clustered
hot_v1_<localid> db_<newest_time>_<oldest_time>_<localid>_<guid>
originating
Clustered
<localid>_<guid> rb_<newest_time>_<oldest_time>_<localid>_<guid>
replicated
Note:
In an indexer cluster, the originating warm bucket and its replicated copies have
identical names, except for the prefix (db for the originating bucket; rb for the
replicated copies).
Note: In an indexer cluster, when data is streamed from the source peer to a
target peer, the data first goes into a temporary directory on the target peer,
identified by the hot bucket convention of <localid>_<guid>. This is true for any
replicated bucket copy, whether or not the streaming bucket is a hot bucket. For
example, during bucket fix-up activities, a peer might stream a warm bucket to
other peers. When the replication of that bucket has completed, the
<localid>_<guid> directory is rolled into a warm bucket directory, identified by
the rb_ prefix.
When you are administering Splunk Enterprise, it helps to understand how the
indexer stores indexes across buckets. In particular, several admin activities
require a good understanding of buckets:
40
• For information on how to archive your indexed data, see Archive indexed
data. To learn how to restore data from archive, read Restore archived
data.
• To learn how to back up your data, read Back up indexed data. That topic
also discusses how to manually roll hot buckets to warm, so that you can
then back them up.
• For information on setting limits on disk usage, see Set limits on disk
usage.
• For information on partitioning index data, see Use multiple partitions for
index data.
For non-clustered indexes only, you can optionally use Splunk Web to configure
the path to your indexes. Go to Settings > Server settings > General settings.
41
Under the section Index settings, set the field Path to indexes. After doing this,
you must restart the indexer from the CLI, not from within Splunk Web. Most
other settings, however, require direct editing of indexes.conf.
This table lists the key indexes.conf attributes affecting buckets and what they
configure. It also provides links to other topics that show how to use these
attributes. For the most detailed information on these attributes, as well as
others, always refer to the indexes.conf spec file.
Note: This list is specific to non-SmartStore indexes. The set of attributes that
control SmartStore indexes is significantly different. See Configure SmartStore.
For more
What it
Attribute Default information,
configures
see ...
The path that
contains the hot
and warm
buckets. $SPLUNK_HOME/var/lib/splunk/ Configure
homePath (Required.) defaultdb/db/ (for the default index path
index only) attributes
This location
must be
writable.
The path that
contains the
cold buckets.
$SPLUNK_HOME/var/lib/splunk/ Configure
(Required.)
coldPath defaultdb/colddb/ (for the index path
default index only) attributes
This location
must be
writable.
thawedPath The path that $SPLUNK_HOME/var/lib/splunk/ Configure
contains any defaultdb/thaweddb/ (for the index path
thawed buckets. default index only) attributes
(Required.)
This location
must be
42
writable.
Determines
whether the 0 (which means that the index
index gets will not get replicated to other
replicated to peers; the correct behavior for Configure the
other cluster non-clustered indexes). For peer indexes
repFactor
peers. clustered indexes, you must in an indexer
(Required for set repFactor to auto, which cluster
indexes on causes the index to get
cluster peer replicated.
nodes.)
The maximum
number of hot
buckets. This
value should be
at least 2, to
deal with any How data
maxHotBuckets 3, for new, custom indexes.
archival data. ages
The main
default index, for
example, has
this value set to
10.
Determines
rolling
behavior, hot
to warm. The
maximum size
for a hot bucket.
Set a
When a hot
retirement
maxDataSize bucket reaches Depends; see indexes.conf.
and archiving
this size, it rolls
policy
to warm. This
attribute also
determines the
approximate
size for all
buckets.
maxWarmDBCount Determines 300 Use multiple
rolling partitions for
behavior, warm index data
43
to cold. The
maximum
number of warm
buckets. When
the maximum is
reached, warm
buckets begin
rolling to cold.
Determines
rolling
behavior, cold
to frozen. The Set a
maximum size retirement
maxTotalDataSizeMB 500000 (MB)
of an index. and archiving
When this limit policy
is reached, cold
buckets begin
rolling to frozen.
Determines
rolling
behavior, cold Set a
to frozen. 188697600 (in seconds; retirement
frozenTimePeriodInSecs
Maximum age approx. 6 years) and archiving
for a bucket, policy
after which it
rolls to frozen.
Location for
archived data.
Determines
behavior when a
bucket rolls from If you don't set either this
cold to frozen. If attribute or
set, the indexer coldToFrozenScript, the Archive
coldToFrozenDir
will archive indexer will just log the bucket's indexed data
frozen buckets directory name and then delete
into this it once it rolls to frozen.
directory just
before deleting
them from the
index.
coldToFrozenScript
44
Script to run just If you don't set either this Archive
before a cold attribute or coldToFrozenDir, indexed data
bucket rolls to the indexer will just log the
frozen. If you set bucket's directory name and
both this then delete it once it rolls to
attribute and frozen.
coldToFrozenDir,
the indexer will
use
coldToFrozenDir
and ignore this
attribute.
Maximum size
for homePath
(hot/warm
bucket storage)
or coldPath
Configure
homePath.maxDataSizeMB (cold bucket
index size
storage). If None
according to
coldPath.maxDataSizeMB either attribute is
bucket type
missing or set to
0, its path is not
individually
constrained in
size.
Maximum size
for a volume. If
the attribute is
Configure
missing, the
maxVolumeDataSizeMB None index size
individual
with volumes
volume is not
constrained in
size.
Configure index path attributes
When creating a new index, you configure several index path attributes, for
example, homePath and coldPath. When you configure path attributes, follow
these restrictions and recommendations:
• The path must be writable. In the case of homePath, the parent path must
also be writable.
45
• Do not use environment variables in index paths. The only exception to
this is SPLUNK_DB.
• The path cannot be a root directory, such as homePath=/myindex or
homePath=C:\myindex.
• It is recommended that you specify the path using $_index_name as
placeholder for the index name. For example:
homePath = $SPLUNK_DB/$_index_name/db
• homePath
• coldPath
• thawedPath
• bloomHomePath
• summaryHomePath
• tstatsHomePath
For more information on path attributes, see the indexes.conf spec file.
For information on using multiple partitions to hold your index data, see Use
multiple partitions for index data .
The attributes that control the size of a non-SmartStore index and its number of
buckets operate on each peer node individually. They do not operate across the
cluster.
For example, take the maxTotalDataSizeMB attribute. This attribute specifies the
maximum size of the index. Its value is applied on a per-peer basis to limit the
size of the index on each peer. When an index reaches its maximum size on a
particular peer node, the peer freezes the oldest bucket in its copy of the index.
46
This means that the size of an index on a peer node is determined by the total
size of all bucket copies for that index on that peer node. It doesn't matter
whether the copies are primary copies, searchable copies, non-searchable
copies, or excess copies. They all count toward the index size on that peer.
Because a cluster usually does not distribute bucket copies perfectly evenly
across the set of peer nodes, an index will typically be a different size on each of
the peer nodes. This means that the index might reach its maximum size on one
peer while still having room to grow on the other peers.
To handle this situation, each peer tells the master when it freezes a copy of a
bucket. At that point, the master no longer initiates fix-up activities for the frozen
bucket. The master does not, however, instruct the other peers to freeze their
copies of that bucket. Each peer will subsequently freeze its copy of the bucket, if
any, when its copy of the index reaches the maximum size limit. See How the
cluster handles frozen buckets.
Note: Although these attributes operate separately on each peer, you should set
them to the same values across all peers in the cluster. See Configure the peer
indexes in an indexer cluster.
For help in sizing your cluster disk space needs, see Storage considerations.
The procedures in this topic assume that the index database is in the default
location, created during installation.
Note: Although you can use Splunk Web to change the locations of individual
indexes or index volumes, you cannot use it to change the default storage
location of indexes, SPLUNK_DB.
47
For *nix users
Prerequisties
Make sure the target file system has at least 1.2 times the size of the total
amount of raw data that you plan to index.
Steps
1. Create the target directory with write permissions for the user that Splunk
Enterprise runs as. For example, if Splunk Enterprise runs as user "splunk", give
it ownership of the directory:
mkdir /foo/bar
chown splunk /foo/bar/
For information on setting the user that Splunk Enterprise runs as, see Run
Splunk Enterprise as a different or non-root user in the Installation Manual.
splunk stop
3. Copy the index file system to the target directory:
unset SPLUNK_DB
5. Change the SPLUNK_DB attribute in $SPLUNK_HOME/etc/splunk-launch.conf to
specify the new index directory:
SPLUNK_DB=/foo/bar
6. Start the indexer:
splunk start
The indexer picks up where it left off, reading from, and writing to, the new copy
of the index.
7. You can delete the old index database after verifying that the indexer can read
and write to the new location.
48
For Windows users
Prerequisties
Make sure the target drive or directory has at least 1.2 times the size of the total
amount of raw data that you plan to index.
Steps
1. From a command prompt, make sure that the target directory has permissions
that allow the splunkd process to write to that directory:
C:\Program Files\Splunk> D:
D:\> mkdir \new\path\for\index
D:\> cacls D:\new\path\for\index /T /E /G <the user Splunk Enterprise
runs as>:F
For more information about determining the user Splunk Enterprise runs as, see
Install on Windows in the Installation Manual.
splunk stop
You can also use the Services control panel to stop the splunkd and splunkweb
services.
set SPLUNK_DB=
5. Edit the SPLUNK_DBattribute in %SPLUNK_HOME%\etc\splunk-launch.conf to
specify the new index directory:
SPLUNK_DB=D:\new\path\for\index
If the line in the configuration file that contains the SPLUNK_DB attribute has a
pound sign (#) as its first character, remove the #.
49
6. Start the indexer:
splunk start
The indexer picks up where it left off, reading from, and writing to, the new copy
of the index.
7. You can delete the old index database after verifying that the indexer can read
and write to the new location.
The indexer can use multiple disks and partitions for its index data. It's possible
to configure the indexer to use many disks/partitions/filesystems on the basis of
multiple indexes and bucket types, so long as you mount them correctly and
point to them properly from indexes.conf. However, we recommend that you use
a single high performance file system to hold your index data for the best
experience.
If you do use multiple partitions, the most common way to arrange the index data
is to keep the hot/warm buckets on the local machine, and to put the cold bucket
on a separate array of disks (for longer term storage). You'll want to run your
hot/warm buckets on a machine with with fast read/write partitions, since most
searching will happen there. Cold buckets should be located on a reliable array
of disks.
1. Set up partitions just as you'd normally set them up in any operating system.
3. Edit indexes.conf to point to the correct paths for the partitions. You set paths
on a per-index basis, so you can also set separate partitions for different indexes.
Each index has its own [<index>] stanza, where <index> is the name of the
index. These are the settable path attributes:
50
♦ This is the path that contains the hot and warm databases for the
index.
♦ See Configure index path attributes for guidelines on defining index
paths.
• On a per-index basis
• For hot/warm and cold buckets separately
• Across indexes, using volumes
To configure index storage size, you set attributes in indexes.conf. For more
information on the attributes mentioned in this topic, read "Configure index
storage".
Caution: While processing indexes, the indexer might occasionally exceed the
configured maximums for short periods of time. When setting limits, be sure to
factor in some buffer space. Also, note that certain systems, such as most Unix
systems, maintain a configurable reserve space on their partitions. You must
take that reserve space, if any, into account when determining how large your
indexes can grow.
51
Configure index size according to bucket type
To set the maximum size for homePath (hot/warm bucket storage) or coldPath
(cold bucket storage), use the maxDataSizeMB attributes:
You can manage disk usage across multiple indexes by creating volumes and
specifying maximum data size for them. A volume represents a directory on the
file system where indexed data resides.
Volumes can store data from multiple indexes. You would typically use separate
volumes for hot/warm and cold buckets. For instance, you can set up one volume
to contain the hot/warm buckets for all your indexes, and another volume to
contain the cold buckets.
You can use volumes to define homePath and coldPath. You cannot use them to
define thawedPath.
In addition, you must use volumes if you explicitly define bloomHomePath. For
information on bloomHomePath, see the topic "Configure bloom filters" in this
manual.
Configure a volume
[volume:<volume_name>]
path = <pathname_for_volume>
You can also optionally include a maxVolumeDataSizeMB attribute, which specfies
the maximum size for the volume.
For example:
52
[volume:hot1]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 100000
The example defines a volume called "hot1", located at /mnt/fast_disk, with a
maximum size of 100,000MB.
Similarly, this stanza defines a volume called "cold1" that uses a maximum of
150,000MB:
[volume:cold1]
path = /mnt/big_disk
maxVolumeDataSizeMB = 150000
Use a volume
Once you configure volumes, you can use them to define an index's homePath
and coldPath. For example, using the volumes configured above, you can define
two indexes:
[idx1]
homePath = volume:hot1/idx1
coldPath = volume:cold1/idx1
[idx2]
homePath = volume:hot1/idx2
coldPath = volume:cold1/idx2
You can use volumes to manage index storage space in any way that makes
sense to you. Usually, however, volumes correlate to hot/warm and cold buckets,
because of the different storage requirements typical when dealing with different
bucket types. So, you will probably use some volumes exclusively for designating
homePath (hot/warm buckets) and others for coldPath (cold buckets).
53
attributes to prevent bursts of data into one index from triggering massive bucket
moves from other indexes. You can use these per-index settings to ensure that
no index will ever occupy more than a specified size, thereby alleviating that
concern.
# global settings
# volumes
[volume:caliente]
path = /mnt/fast_disk
maxVolumeDataSizeMB = 100000
[volume:frio]
path = /mnt/big_disk
maxVolumeDataSizeMB = 1000000
# indexes
[i1]
homePath = volume:caliente/i1
# homePath.maxDataSizeMB is inherited from the global setting
coldPath = volume:frio/i1
# coldPath.maxDataSizeMB not specified anywhere:
# This results in no size limit - old-style behavior
[i2]
homePath = volume:caliente/i2
homePath.maxDataSizeMB = 1000
# overrides the global default
coldPath = volume:frio/i2
coldPath.maxDataSizeMB = 10000
# limits the size of cold buckets
[i3]
homePath = /old/style/path
homePath.maxDataSizeMB = 1000
coldPath = volume:frio/i3
coldPath.maxDataSizeMB = 10000
54
SmartStore controls local disk usage.
Splunk Enterprise uses several methods to control disk space. Indexes consume
most of the disk space. If you run out of disk space, the indexer stops indexing.
You can set a minimum free space limit to control how low free disk space falls
before indexing stops. Indexing resumes once space exceeds the minimum.
Note: To determine how much space you need for your indexes, see "Estimate
your storage requirements" in the Capacity Planning Manual.
You can set a minimum amount of free disk space for the disk where indexed
data is stored. If the limit is reached, the indexer stops operating. Both indexing
and searching are affected:
Note:
• The indexer does not clear any of its disk space with this method. It simply
pauses until more space becomes available.
• Incoming data can be lost while indexing is suspended.
You can set minimium free disk space through Splunk Web, the CLI, or the
server.conf configuration file.
In Splunk Web
55
3. Click General settings.
4. Under the Index settings section, set the field Pause indexing if free disk
space (in MB) falls below to the desired minimum free disk space in
megabytes.
5. Click Save.
You can set the minimum free disk space with the CLI. This example sets the
minimum free disk space to 20,000MB (20GB):
In server.conf
You can also set the minimum free disk space in the server.conf file. The
relevant stanza/attribute is this:
[diskUsage]
minFreeSpace = <num>
Note that <num> represents megabytes. The default is 5000.
The indexes.conf file contains index configuration settings. You can control disk
storage usage by specifying maximum index size or maximum age of data. When
one of these limits is reached, the oldest indexed data will be deleted (the
default) or archived. You can archive the data by using a predefined archive
script or creating your own.
For detailed instructions on how to use indexes.conf to set maximum index size
or age, see "Set a retirement and archiving policy".
For detailed information on index storage, see "How the indexer stores indexes".
56
Reduce tsidx disk usage
Note: This topic is not relevant to SmartStore indexes. See About SmartStore.
The tsidx retention policy determines how long the indexer retains the tsidx
files that it uses to search efficiently and quickly across its data. By default, the
indexer retains the tsidx files for all its indexed data for as long as it retains the
data itself. By adjusting the policy to remove tsidx files associated with older
data, you can set the optimal trade-off between storage costs and search
performance.
The indexer stores tsidx files in buckets alongside the rawdata files. The tsidx
files are vital for efficient searching across large amounts of data. They also
occupy substantial amounts of storage.
For data that you are regularly running searches across, you absolutely need the
tsidx files. However, if you have data that requires only infrequent searching as it
ages, you can adjust the tsidx retention policy to reduce the tsidx files once they
reach a specified age. This allows you to reduce the disk space that your indexed
data occupies.
The tsidx reduction process eliminates the full-size tsidx files and replaces them
with mini versions of those files that contain essential metadata. The rawdata
files and some other metadata files remain untouched. You can continue to
search across the aged data, if necessary, but such searches will exhibit
significantly worse performance. Rare term searches, in particular, will run
slowly.
To summarize, the main use case for tsidx reduction is for environments where
most searches run against recent data. In that case, fast access to older data
might not be worth the cost of storing the tsidx files. By reducing tsidx files for
older data, you incur little performance hit for most searches while gaining large
savings in disk usage.
Tsidx reduction replaces a bucket's full-size tsidx files with smaller versions of
those files, known as mini-tsidx files. It also eliminates the bucket's
merged_lexicon.lex file.
The full-size tsidx files usually constitute a large portion of the overall bucket size.
The exact amount depends on the type of data. Data with many unique terms
57
requires larger tsidx files. As a general guideline, the tsidx reduction process
decreases bucket size by approximately one-third to two-thirds. For example, a
1GB bucket decreases in size to somewhere between 350MB and 700MB.
To make a rough estimate of a bucket's reduction potential, look at the size of its
merged_lexicon.lex file. The merged_lexicon.lex file is an indicator of the
number of unique terms in a bucket's data. Buckets with larger
merged_lexicon.lex files have tsidx files that reduce to a greater degree,
because of the greater number of unique terms.
The size of a mini-tsidx file is generally about 5% to 10% of the size of the
corresponding original, full-size file. As mentioned earlier, however, the overall
reduction in bucket size is less than that - typically, one-third to two-thirds. This is
because, in addition to the mini-tsidx files, the reduced bucket retains the
rawdata file and a number of metadata files.
When you enable tsidx reduction, you specify a reduction age, on a per-index
basis. When buckets in that index reach the specified age, the indexer reduces
their tsidx files.
The tsidx reduction process runs, by default, every ten minutes. It checks each
bucket in the index and reduces the tsidx files in any bucket whose most recent
event is at least the specified reduction age.
The reduction process runs on only a single bucket at a time. If multiple buckets
are ready for reduction, the process handles them sequentially.
The reduction process is fast. For example, when running on a 1GB bucket, it
typically completes in just a few seconds.
Once a tsidx file is reduced, it stays reduced. If you disable the tsidx reduction
setting or increase the reduction age, the change affects only buckets that are
not already reduced. If necessary, however, there is a way to convert reduced
buckets back into buckets with full tsidx files. See Restore reduced buckets to
their orginal state.
58
Effect of reduction on bucket files
The tsidx reduction process eliminates the full-size tsidx files from each targeted
bucket after replacing them with mini versions that contain only essential
metadata. The mini-tsidx file consists of the header of the original tsidx file, which
contains metadata about each event. In addition, tsidx reduction eliminates the
bucket's merged_lexicon.lex file.
The bucket retains its rawdata file, along with the mini-tsidx files and certain other
metadata files, including the bloomfilter file.
Full size tsidx files have a .tsidx filename extension. Mini-tsidx files use the
.mini.tsidx extension.
Note: The full-size version of the tsidx file gets deleted only after the mini version
has been created. This means that the bucket will briefly contain both versions of
the file, with the commensurate increase in disk usage.
Note: If the indexer is performing a search that ranges across multiple buckets,
including one that is ready for reduction, reduction of the bucket might complete
before the search reaches it. As expected, when the search does reach the
reduced bucket, it will run slowly on that bucket.
Once a bucket has undergone tsidx reduction, you can run searches across the
bucket, but they will take much longer to complete. Since the indexer searches
the most recent buckets first, it will return results from all non-reduced buckets
before it reaches the reduced buckets.
When the search hits the reduced buckets, a message appears in Splunk Web to
warn users of a potential delay in search completion: "Search on most recent
data has completed. Expect slower search speeds as we search the minified
buckets."
59
A few search commands do not work with reduced buckets. These include
tstats and typeahead. A warning is added to search.log if such a search
touches a reduced bucket: "The full buckets will return results and the reduced
buckets will return 0 results." In addition, for the tstats command only, the
following message appears in Splunk Web: "Reduced buckets were found in
index={index}. Tstats searches are not supported on reduced buckets. Search
results will be incorrect."
Note: Tsidx reduction does not touch tsidx files for accelerated data models,
which are maintained in their own directories, separate from the index buckets.
Therefore, tstats commands that are restricted to an accelerated data model will
continue to function normally and are not affected by this feature.
By default, the indexer retains all tsidx files for the life of the buckets. To change
the policy, you must enable tsidx reduction.
You can also change the tsidx retention period from its default of seven days. A
bucket gets reduced only when all events in the bucket exceed the retention
period.
5. To modify the default retention period, edit the "Reduce tsidx files older than"
field.
6. Click Save.
Configure in indexes.conf
You can enable tsidx reduction by directly editing indexes.conf. You can enable
reduction for one or more indexes individually or for all indexes globally.
60
To enable tsidx reduction for a single index, place the relevant attributes under
the index's stanza in indexes.conf. For example, to enable reduction for the
"newone" index and to set the retention period to 10 days:
[newone]
enableTsidxReduction = true
timePeriodInSecBeforeTsidxReduction = 864000
To enable tsidx reduction for all indexes, place the settings under the [default]
stanza.
You must restart the indexer for the settings to take effect.
Once you enable tsidx reduction, the indexer begins to look for buckets to
reduce. It reduces all buckets that exceed the specified retention period. The
indexer reduces only one bucket at a time, so performance impact should be
minimal.
| dbinspect index=_internal
The tsidxState field in the results specifies "full" or "mini" for each bucket.
An indexer cluster runs tsidx reduction in the same way, and according to the
same rules and settings, as a standalone indexer. However, since only
searchable bucket copies have tsidx files to begin with, reduction only occurs on
searchable copies. With tsidx reduction enabled, a searchable bucket copy can
61
contain either a full-size or a mini tsidx file, depending on the age of the bucket.
You must push changes to the tsidx reduction settings by means of the
configuration bundle method. This ensures that all peer nodes use the same
settings. Tsidx reduction then occurs at approximately the same time for all
searchable copies of a reduction-ready bucket, no matter what peers they reside
in.
• If another searchable copy of the bucket exists in the cluster, the cluster
will stream that copy's mini-tsidx files to the non-searchable copy. When
streaming is complete, the copy is considered searchable.
• If no other searchable copy of the bucket exists, the cluster has no
mini-tsidx files available for streaming to the non-searchable copy. In that
case, the cluster must first build full-size tsidx files from the
non-searchable copy's rawdata file and then reduce the full-size files.
There is no way to create mini-tsidx files directly from a rawdata file.
You cannot restore reduced buckets to their original state merely by increasing
the age setting for tsidx reduction. That setting does not affect buckets that have
already been reduced.
2. In indexes.conf, either disable tsidx reduction or increase the age setting for
tsidx reduction beyond the age of the buckets that you want to restore.
Otherwise, the bucket will be reduced for a second time soon after you revert it.
62
4. Restart the indexer.
Before you continue reading this topic, you should be familiar with how the
indexer stores data and how the data ages after it has been indexed. Basically,
indexed data resides in database directories consisting of subdirectories called
buckets. Each index has its own set of databases. As data ages, it moves
through several types of buckets (hot, warm, cold, and frozen). Read more about
"How the indexer stores data" and "How data ages".
As the indexer indexes your time-series data, it creates a compressed file that
contains the raw data broken into events based on timestamps and a set of
time-series index (tsidx) files. The tsidx files are lexicon files that act as a
dictionary of all the keywords in your data (error codes, response times, etc.) and
contain references to the location of events in the raw data. When you run a
search, the indexer searches the tsidx files for the keywords and retrieves the
events from the referenced raw data file.
Bloom filters work at the bucket level and use a separate file, bloomfilter, which
is basically a hash table that can tell you that a keyword definitely does not exist
in a bucket. Then, when you run a search, the indexer only need search the tsidx
files in the buckets that the bloom filters do not rule out. The execution cost of
retrieving events from disk grows with the size and number of tsidx files. Because
they decrease the number of tsidx files that the indexer need search, bloom
filters decrease the time it takes to search each bucket.
Instead of storing all of the unique keywords found in a bucket's tsidx files, the
bloom filter computes a hash for each keyword. Multiple keywords can result in
the same hash, which means that you can have false positives but never false
63
negatives. Because of this, bloom filters can quickly rule out terms that definitely
do not exist in a particular bucket and the indexer moves on to searching the next
bucket. If the bloom filter cannot rule out a bucket (the keyword may or may not
actually exist in the bucket), the indexer searches the bucket normally.
Bloom filters are created when buckets roll from hot to warm. By default, they are
deleted when the buckets roll to frozen, unless you have configured a different
retention behavior. This section talks about the configuration file parameters you
can use to configure and manage your bloomfilter files.
To specify whether or not you want to use bloom filters, use the use_bloomfilter
parameter in limits.conf:
[search]
use_bloomfilter = true|false
* Control whether to use bloom filters to rule out buckets.
* Defaults to True.
To create a bloom filter for a specific index, edit the following Per Index options
in indexes.conf:
createBloomfilter = true|false
* Determines whether to create bloom filter files for the index.
* Defaults to "true".
In addition, you must use volumes if you explicitly define bloomHomePath. A
volume represents a directory on the file system where indexed data resides. For
more information, read "Configure maximum index size".
64
Determine which indexes.conf changes require
restart
Some changes to indexes.conf require that you restart the indexer for the
changes to take effect:
You do not need to restart the indexer if you only make these changes:
The configuration changes that cause the peer nodes in an indexer cluster to
undergo a rolling restart are a superset of those listed here. See Restart or
reload after configuration bundle changes?
65
There are several dashboards that monitor the status of indexes and volumes.
The dashboards are scoped either to a single instance or to the entire
deployment. They are located under the Indexing menu:
View the dashboards themselves for more information. In addition, see "Indexing:
Indexes and volumes" in Monitoring Splunk Enterprise.
66
Back up and archive your indexes
To decide how to back up indexed data, it helps to understand first how the
indexer stores data and how the data ages once it has been indexed. Then you
can decide on a backup strategy.
Before you read this topic, you should look at "How the indexer stores indexes"
to get familiar with the structure of indexes and the options for configuring them.
But if you want to jump right in, the next section below attempts to summarize the
key points from that topic.
As data ages, it moves through several types of buckets. You determine how the
data ages by by configuring attributes in indexes.conf. Read "Configure index
storage" for a description of the settings in indexes.conf that control how data
ages.
1. When the indexer first indexes data, it goes into a "hot" bucket. Depending on
your configuration, there can be several hot buckets open at one time. Hot
buckets cannot be backed up because the indexer is actively writing to them, but
you can take a snapshot of them.
2. The data remains in the hot bucket until the policy conditions are met for it to
be reclassified as "warm" data. This is called "rolling" the data into the warm
bucket. This happens when a hot bucket reaches a specified size or age, or
whenever splunkd gets restarted. When a hot bucket is rolled, its directory is
renamed, and it becomes a warm bucket. (You can also manually roll a bucket
from hot to warm, as described below.) It is safe to back up the warm buckets.
67
3. When the index reaches one of several possible configurable limits, usually a
specified number of warm buckets, the oldest bucket becomes a "cold" bucket.
The indexer moves the bucket to the colddb directory. The default number of
warm buckets is 300.
4. Finally, at a time based on your defined policy requirements, the bucket rolls
from cold to "frozen". The indexer deletes frozen buckets. However, if you need
to preserve the data, you can tell the indexer to archive the data before deleting
the bucket. See "Archive indexed data" for more information.
You can set retirement and archiving policy by controlling several different
parameters, such as the size of indexes or buckets or the age of the data.
To summarize:
• hot buckets - Currently being written to; do not back these up.
• warm buckets - Rolled from hot; can be safely backed up.
• cold buckets - Rolled from warm; buckets are moved to another location.
• frozen buckets - The indexer deletes these, but you can archive their
contents first.
You set the locations of index databases in indexes.conf. (See below for
detailed information on the database locations for the default index.) You also
specify numerous other attributes there, such as the maximum size and age of
hot buckets.
Bucket
Default location Notes
type
Hot $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* There can be
multiple hot
subdirectories.
Each hot
bucket
occupies its
own
subdirectory,
which uses this
naming
68
convention:
hot_v1_<ID>
There are
separate
subdirectories
for each warm
bucket. These
Warm $SPLUNK_HOME/var/lib/splunk/defaultdb/db/* are named as
described
below in
"Warm/cold
bucket naming
convention".
There are
multiple cold
subdirectories.
When warm
buckets roll to
Cold $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb/*
cold, they get
moved into this
directory, but
are not
renamed.
Deletion is the
default; see
"Archive
N/A: Frozen data gets deleted or archived into a indexed data"
Frozen
directory location you specify. for information
on how to
archive the
data instead.
Thawed $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/* Location for
data that has
been archived
and later
thawed. See
"Restore
archived data"
for information
on restoring
69
archived data
to a thawed
state.
The paths for hot/warm and cold directories are configurable, so you can store
cold buckets in a separate location from hot/warm buckets. See "Configure index
storage" and "Use multiple partitions for index data".
How you actually perform the backup will, of course, depend entirely on the tools
and procedures in place at your organzation, but this section should help provide
you the guidelines you need to proceed.
Incremental backups
To back up hot buckets as well, you need to take a snapshot of the files, using a
tool like VSS (on Windows/NTFS), ZFS snapshots (on ZFS), or a snapshot
facility provided by the storage subsystem. If you do not have a snapshot tool
available, you can manually roll a hot bucket to warm and then back it up, as
described below. However, this is not generally recommended, for reasons also
discussed below.
It is recommended that you back up all your data before upgrading the indexer.
This means the hot, warm, and cold buckets.
There are obviously a number of ways to do this, depending on the size of your
70
data and how much downtime you can afford. Here are some basic guidelines:
• For smaller amounts of data, shut down the indexer and just make a copy
of your database directories before performing the upgrade.
• For larger amounts of data, you will probably instead want to snapshot
your hot buckets prior to upgrade.
In any case, if you have been doing incremental backups of your warm buckets
as they've rolled from hot, you should really need to backup only your hot
buckets at this time.
To roll the buckets of an index manually from hot to warm, use the following CLI
command, replacing <index_name> with the name of the index you want to roll:
If you experience a non-catastrophic disk failure (for example you still have some
of your data, but the indexer won't run), Splunk recommends that you move the
index directory aside and restore from a backup rather than restoring on top of a
partially corrupted datastore. The indexer will automatically create hot directories
on startup as necessary and resume indexing. Monitored files and directories will
pick up where they were at the time of the backup.
Even though an indexer cluster already contains redundant copies of data, you
might also want to back up the cluster data to another location; for example, to
71
keep a copy of the data offsite as part of an overall disaster recovery plan.
The simplest way to do this is to back up the data on each individual peer node
on your cluster, in the same way that you back up data on individual,
non-clustered indexers, as described earlier in this topic. However, this approach
will result in backups of duplicate data. For example, if you have a cluster with a
replication factor of 3, the cluster is storing three copies of all the data across
its set of peer nodes. If you then back up the data residing on each individual
node, you end up with backups containing, in total, three copies of the data. You
cannot solve this problem by backing up just the data on a single node, since
there's no certainty that a single node contains all the data in the cluster.
The solution to this would be to identify exactly one copy of each bucket on the
cluster and then back up just those copies. However, in practice, it is quite a
complex matter to do that. One approach is to create a script that goes through
each peer's index storage and uses the bucket ID value contained in the bucket
name to identify exactly one copy of each bucket. The bucket ID is the same for
all copies of a bucket. For information on the bucket ID, read "Warm/cold bucket
naming convention". Another thing to consider when designing a cluster backup
script is whether you want to back up just the bucket's rawdata or both its
rawdata and index files. If the latter, the script must also identify a searchable
copy of each bucket.
Configure data retirement and archiving policy by controlling the size of indexes
or the age of data in indexes.
72
Bucket
Description Searchable?
stage
Contains newly indexed data. Open for writing. One or
Hot Yes
more hot buckets for each index.
Warm Data rolled from hot. There are many warm buckets. Yes
Cold Data rolled from warm. There are many cold buckets. Yes
Data rolled from cold. The indexer deletes frozen data
Frozen by default, but you can also archive it. Archived data can No
later be thawed.
You configure the sizes, locations, and ages of indexes and their buckets by
editing indexes.conf, as described in "Configure index storage".
Caution: When you change your data retirement and archiving policy settings,
the indexer can delete old data without prompting you.
You can use the size of an index to determine when data gets frozen and
removed from the index. If an index grows larger than its maximum specified
size, the oldest data is rolled to the frozen state.
The default maximum size for an index is 500,000MB. To change the maximum
size, edit the maxTotalDataSizeMB attribute in indexes.conf. For example, to
specify the maximum size as 250,000MB:
[main]
maxTotalDataSizeMB = 250000
Specify the size in megabytes.
Restart the indexer for the new setting to take effect. Depending on how much
data there is to process, it can take some time for the indexer to begin to move
buckets out of the index to conform to the new policy. You might see high CPU
usage during this time.
73
This setting takes precedence over frozenTimePeriodInSecs. If
maxTotalDataSizeMB is reached before frozenTimePeriodInSecs, data will be
rolled to frozen before the configured time period has elapsed. If archiving has
not been configured, unintended data loss can occur.
You can use the age of data to determine when a bucket gets rolled to frozen.
When the most recent data in a particular bucket reaches the configured age, the
entire bucket is rolled.
[main]
frozenTimePeriodInSecs = 15552000
Specify the time in seconds.
Restart the indexer for the new setting to take effect. Depending on how much
data there is to process, it can take some time for the indexer to begin to move
buckets out of the index to conform to the new policy. You might see high CPU
usage during this time.
Archive data
If you want to archive frozen data instead of deleting it entirely, you must tell the
indexer to do so, as described in "Archive indexed data". You can create your
own archiving script or you can just let the indexer handle the archiving for you.
You can later restore ("thaw") the archived data, as described in "Restore
archived data".
There are a number of other conditions that can cause buckets to roll from one
stage to another, some of which can also trigger deletion or archiving. These are
all configurable, as described in "Configure index storage". For a full
understanding of all your options for controlling retirement policy, read that topic
and look at the indexes.conf spec file.
74
For example, the indexer rolls buckets when they reach their maximum size. You
can reduce bucket size by setting a smaller maxDataSize in indexes.conf so they
roll faster. But note that it takes longer to search more small buckets than fewer
large buckets. To get the results you are after, you will have to experiment a bit
to determine the right size for your buckets.
I ran out of disk space so I changed the archive policy, but it's still not
working
If you changed your archive policy to be more restrictive because you've run out
of disk space, you may notice that events haven't started being archived
according to your new policy. This is most likely because you must first free up
some space so the process has room to run. Stop the indexer, clear out ~5GB of
disk space, and then start the indexer again. After a while (exactly how long
depends on how much data there is to process) you should see INFO entries
about BucketMover in splunkd.log showing that buckets are being archived.
You can configure the indexer to archive your data automatically as it ages;
specifically, at the point when it rolls to "frozen". To do this, you configure
indexes.conf.
Caution: By default, the indexer deletes all frozen data. It removes the data from
the index at the moment it becomes frozen. If you need to keep the data around,
you must configure the indexer to archive the data before removing it. You do
this by either setting the coldToFrozenDir attribute or specifying a valid
coldToFrozenScript in indexes.conf.
For detailed information on data storage, see How the indexer stores indexes.
For information on editing indexes.conf, see Configure index storage.
75
How the indexer archives data
The indexer rotates old data out of the index based on your data retirement
policy, as described in Set a retirement and archiving policy. Data moves through
several stages, which correspond to file directory locations. Data starts out in the
hot database, located as subdirectories ("buckets") under
$SPLUNK_HOME/var/lib/splunk/defaultdb/db/. It then moves to the warm
database, also located as subdirectories under
$SPLUNK_HOME/var/lib/splunk/defaultdb/db. Eventually, data is aged into the
cold database $SPLUNK_HOME/var/lib/splunk/defaultdb/colddb.
Finally, data reaches the frozen state. This can happen for a number of reasons,
as described in Set a retirement and archiving policy. At this point, the indexer
erases the data from the index. If you want the indexer to archive the frozen data
before erasing it from the index, you must specify that behavior. You can choose
two ways of handling the archiving:
Note: You can only set one or the other of these attributes. The coldToFrozenDir
attribute takes precedence over coldToFrozenScript, if both are set.
If you don't specify either of these attributes, the indexer runs a default script that
simply writes the name of the bucket being erased to the log file
$SPLUNK_HOME/var/log/splunk/splunkd_stdout.log. It then erases the bucket.
76
data from the index.
[<index>]
coldToFrozenDir = "<path to frozen archive>"
Note the following:
Note: When you use Splunk Web to create a new index, you can also specify a
frozen archive path for that index. See Create custom indexes for details.
How the indexer archives the frozen data depends on whether the data was
originally indexed in a pre-4.2 release:
• For buckets created from version 4.2 and on, the indexer will remove all
files except for the rawdata file.
• For pre-4.2 buckets, the script simply gzip's all the .tsidx and .data files
in the bucket.
This difference is due to a change in the format of rawdata. Starting with 4.2, the
rawdata file contains all the information the indexer needs to reconstitute an
index bucket.
For information on thawing these buckets, see Restore archived indexed data.
You'll need to supply the actual script. Typically, the script will archive the data,
but you can provide a script that performs any action you want.
[<index>]
coldToFrozenScript = ["<path to program that runs script>"] "<path to
77
script>"
Note the following:
coldToFrozenScript = "$SPLUNK_HOME/bin/python"
"$SPLUNK_HOME/bin/myColdToFrozen.py"
• For detailed information on the archiving script, see the indexes.conf spec
file.
The indexer ships with an example archiving script that you can edit,
$SPLUNK_HOME/bin/coldToFrozenExample.py.
Note: If using the example script, edit it to specify the archive location for your
installation. Also, rename the script or move it to another location to avoid having
changes overwritten when you upgrade the indexer. This is an example script
and should not be applied to a production instance without editing to suit your
environment and testing extensively.
The example script archives the frozen data differently, depending on whether
the data was originally indexed in a pre-4.2 release:
• For buckets created from version 4.2 and on, it will remove all files except
for the rawdata file.
• For pre-4.2 buckets, the script simply gzip's all the .tsidx and .data files.
This difference is due to a change in the format of rawdata. Starting with 4.2, the
rawdata file contains all the information the indexer needs to reconstitute an
index bucket.
For information on thawing these buckets, see Restore archived indexed data.
As a best practice, make sure the script you create completes as quickly as
possible, so that the indexer doesn't end up waiting for the return indicator. For
example, if you want to archive to a slow volume, set the script to copy the
78
buckets to a temporary location on the same (fast) volume as the index. Then
use a separate script, outside the indexer, to move the buckets from the
temporary location to their destination on the slow volume.
In an Indexer cluster, each individual peer node rolls its buckets to frozen, in the
same way that a non-clustered indexer does; that is, based on its own set of
configurations. Because all peers in a cluster should be configured identically, all
copies of a bucket should roll to frozen at approximately the same time.
However, there can be some variance in the timing, because the same index can
grow at different rates on different peers. The cluster performs processing to
ensure that buckets freeze smoothly across all peers in the cluster. Specifically, it
performs processing so that, if a bucket is frozen on one peer but not on another,
the cluster does not initiate fix-up activities for that bucket. See How the cluster
handles frozen buckets.
Because indexer clusters contain multiple copies of each bucket. If you archive
the data using the techniques described earlier in this topic, you archive multiple
copies of the data.
For example, if you have a cluster with a replication factor of 3, the cluster
stores three copies of all its data across its set of peer nodes. If you set up each
peer node to archive its own data when it rolls to frozen, you end up with three
archived copies of the data. You cannot solve this problem by archiving just the
data on a single node, since there's no certainty that a single node contains all
the data in the cluster.
The solution to this would be to archive just one copy of each bucket on the
cluster and discard the rest. However, in practice, it is quite a complex matter to
do that. If you want guidance in archiving single copies of clustered data, contact
Splunk Professional Services. They can help design a solution customized to the
needs of your environment.
If you choose to take the easy approach and archive multiple copies of the
clustered data, you must guard against name collisions. You cannot route the
data from all peer nodes into a single archive directory, because multiple,
identically named copies of the bucket will exist across the cluster (for
79
deployments where replication factor >= 2), and the contents of a directory must
be named uniquely. Instead, you need to ensure that the buckets from each of
your peer nodes go to a separate archive directory. This, of course, will be
somewhat difficult to manage if you specify a destination directory in shared
storage by means of the coldToFrozenDir attribute in indexes.conf, because the
indexes.conf file must be the same across all peer nodes, as discussed in
Configure the peer indexes in an indexer cluster. One alternative approach would
be to create a script that directs each peer's archived buckets to a separate
location on the shared storage, and then use the coldToFrozenScript attribute to
specify that script.
See "Archive indexed data" for information on how to archive data in the first
place. You can also use that page as guidance if you want to re-archive data
after you've thawed it.
For the most part, you can restore an archive to any instance of the indexer, not
just the one that originally indexed it. This, however, depends on a couple of
factors:
80
♦ 4.2+ buckets: You can restore a 4.2+ bucket to any 4.2+ instance.
♦ Pre-4.2 buckets: You can restore a pre-4.2 bucket to any indexer,
pre-4.2 or post-4.2, aside from a few OS-related issues, described
in the next bullet.
In addition, make sure that you do not introduce bucket ID conflicts to your index
when restoring the archived bucket. This issue is discussed later.
Before thawing the archive bucket, you need to identify whether the archive
bucket is pre- or post-4.2. Here's how to tell the difference, assuming you
archived the buckets using coldToFrozenDir or the provided example script:
• 4.2+ bucket: The bucket directory contains only the rawdata directory,
which contains journal.gz.
• Pre-4.2 bucket: The bucket directory contains gzipped versions of .tsidx
and .data files, along with a rawdata directory containing files named
<int>.gz.
Important: If you archived the data through some script of your own, the
resulting bucket could contain just about anything.
*nix users
81
1. Copy your archive bucket into the thawed directory:
cp -r db_1181756465_1162600547_1001
$SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb
Note: The bucket id cannot conflict with any other bucket in the index. This
example assumes that the bucket id '1001' is unique for the index. If it isn't,
choose some other, non-conflicting bucket ID.
2. Execute the splunk rebuild command on the archive bucket to rebuild the
indexes and associated files:
splunk rebuild
$SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/db_1181756465_1162600547_1001
3. Restart the indexer:
splunk restart
Windows users
xcopy
D:\MyArchive\db_1181756465_1162600547_1001 %SPLUNK_HOME%\var\lib\splunk\defaultdb\thawed
/s /e /v
Note: The bucket id cannot conflict with any other bucket in the index. This
example assumes that the bucket id '1001' is unique for the index. If it isn't,
choose some other, non-conflicting bucket ID.
2. Execute the splunk rebuild command on the archive bucket to rebuild the
indexes and associated files:
splunk
rebuild %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\db_1181756465_1162600547_1001
3. Restart the indexer:
splunk restart
82
Thaw a pre-4.2 archive
*nix users
# cp -r db_1181756465_1162600547_0
$SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/temp_db_1181756465_1162600547_0
2. If the bucket was compressed when originally archived, uncompress the
contents in the thawed directory.
3. Rename the temporary bucket to something that the indexer will recognize:
# cd $SPLUNK_HOME/var/lib/splunk/defaultdb/thaweddb/
# mv temp_db_1181756465_1162600547_0 db_1181756465_1162600547_1001
Note: You must choose a bucket id that does not conflict with any other bucket in
the index. This example assumes that the bucket id '1001' is unique for the index.
If it isn't, choose some other, non-conflicting bucket ID.
# cd $SPLUNK_HOME/bin
# ./splunk login
# ./splunk _internal call
/data/indexes/main/rebuild-metadata-and-manifests
After a few moments, the contents of your newly thawed bucket should be
searchable again.
Windows users
> xcopy
D:\MyArchive\db_1181756465_1162600547_0 %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb\
/s /e /v
2. If the bucket was compressed when originally archived, uncompress the
contents in the thawed directory.
83
3. Rename the temporary bucket to something that the indexer will recognize:
> cd %SPLUNK_HOME%\var\lib\splunk\defaultdb\thaweddb
> move temp_db_1181756465_1162600547_0 db_1181756465_1162600547_1001
Note: You must choose a bucket id that does not conflict with any other bucket in
the index. This example assumes that the bucket id '1001' is unique for the index.
If it isn't, choose some other, non-conflicting bucket ID.
> cd %SPLUNK_HOME%\bin
> splunk login
> splunk _internal call
/data/indexes/main/rebuild-metadata-and-manifests
After a few moments, the contents of your newly thawed bucket should be
searchable again.
You can thaw archived clustered data onto individual peer nodes the same way
that you thaw data onto any individual indexer. However, as described in
"Archive indexed data", it is difficult to archive just a single copy of clustered data
in the first place. If, instead, you archive data across all peer nodes in a cluster,
you can later thaw the data, placing the data into the thawed directories of the
peer nodes from which it was originally archived. You will end up with replication
factor copies of the thawed data on your cluster, since you are thawing all of the
original data, including the copies.
Note: Data does not get replicated from the thawed directory. So, if you thaw just
a single copy of some bucket, instead of all the copies, only that single copy will
reside in the cluster, in the thawed directory of the peer node where you placed
it.
84
Overview of indexer clusters and index
replication
Indexer clusters feature automatic failover from one indexer to the next. This
means that, if one or more indexers fail, incoming data continues to get indexed
and indexed data continues to be searchable.
85
Note: Clusters with SmartStore indexes rely on the inherent capabilities of a
remote object store to ensure high availability, data fidelity, data recovery, and
disaster recovery for most of the index data. See About SmartStore.
You can also use clusters to scale indexing capacity, even in situations where
index replication is not a requirement. See "Use indexer clusters to scale
indexing".
Note: Search head clusters provide high availability and scalabilty for groups of
search heads. They are a separate feature from indexer clusters, but you can
combine them with indexer clusters to build a high availability, scalable solution
across your entire Splunk Enterprise deployment. See "About search head
clustering" in the Distributed Search manual.
The master node manages the cluster. It coordinates the replicating activities of
the peer nodes and tells the search head where to find data. It also helps
manage the configuration of peer nodes and orchestrates remedial activities if a
peer goes down.
The peer nodes receive and index incoming data, just like non-clustered,
stand-alone indexers. Unlike stand-alone indexers, however, peer nodes also
replicate data from other nodes in the cluster. A peer node can index its own
incoming data while simultaneously storing copies of data from other nodes. You
must have at least as many peer nodes as the replication factor. That is, to
support a replication factor of 3, you need a minimum of three peer nodes.
The search head runs searches across the set of peer nodes. You must use a
search head to manage searches across indexer clusters.
For most purposes, it is recommended that you use forwarders to get data into
the cluster.
86
Here is a diagram of a basic, single-site indexer cluster, containing three peer
nodes and supporting a replication factor of 3:
Clusters are easy to set up. The process is similar to setting up a group of
87
stand-alone indexers. Basically, you install the indexers and perform a bit of
configuration.
The main difference is that you also need to identify and enable the cluster
nodes. You designate one Splunk Enterprise instance as the master node and
other instances as peer nodes. You need at least as many peer nodes as the
size of your replication factor. To increase indexing capacity for horizontal
scaling, you just add more peer nodes.
You also need to set up one or more search heads to manage searches across
the peers and to consolidate the results for the user.
You enable cluster nodes in the same way that you configure any settings in
Splunk Enterprise: through Splunk Web or the CLI, or directly, by editing
configuration files.
You search a cluster the same way you search any non-clustered group of
indexers. You submit your searches through a search head.
What happens behind the scenes is a bit different, though. Once you have
submitted your search, the search head consults the master node to determine
the current set of peer nodes. The search head then distributes the search tasks
directly to those peers. The peers do their part and send their results back to the
search head, which then consolidates the results and returns them to Splunk
Web. From the user's standpoint, it is no different than searching any standalone
indexer or non-clustered group of indexers. See "How search works in an indexer
cluster."
With a multisite cluster, you can also implement search affinity. In search affinity,
a search head gets search results only from indexers local to its site, when
possible. At the same time, the search still has access to the full set of data. See
"Implement search affinity in a multisite indexer cluster."
Clusters are easy to set up and use, but you need to have a good grounding in
the basics of Splunk Enterprise indexing and deployment first. Before you
continue, make sure you know this stuff:
88
• How to configure indexers. See "How the indexer stores indexes", along
with the other topics in the current manual that describe managing
indexes.
• What a search head does. For an introduction to distributed search and
search heads, see "About distributed search" in the Distributed Search
manual.
• How to use a forwarder to get data into an indexer. See "Use
forwarders" in the Getting Data In manual.
Use cases
• Search affinity. If you configure each site so that it has both a search
head and a full set of searchable data, the search head on each site will
limit its searches to local peer nodes. This eliminates any need, under
normal conditions, for search heads to access data on other sites, greatly
reducing network traffic between sites.
89
Multisite configuration
Multisite architecture
The architecture of single-site and multisite clusters is similar. These are the
main differences for multisite clusters:
90
The basics of indexer cluster architecture
This topic introduces indexer cluster architecture. It describes the nodes of a
single-site cluster and how they work together. It also covers some essential
concepts and describes briefly how clusters handle indexing and searching.
For a deeper dive into cluster architecture, read the chapter How indexer clusters
work.
For information on how cluster architecture differs for SmartStore indexes, see
SmartStore architecture overview and Indexer cluster operations and
SmartStore.
Cluster nodes
Master nodes, peer nodes, and search heads are all specialized Splunk
Enterprise instances. All nodes must reside on separate instances and separate
machines. For example, the master node cannot reside on the same instance or
machine as a peer node or a search head.
Here is a diagram of a simple single-site cluster, with a few peers and some
forwarders sending data to them:
91
Some of what is happening in this diagram might not make sense yet; read on.
Master node
The master node manages the cluster. It coordinates the replicating activities of
the peer nodes and tells the search head where to find data. It also helps
manage the configuration of peer nodes and orchestrates remedial activities if a
peer goes offline.
Unlike the peer nodes, the master does not index external data. A cluster has
exactly one master node.
Peer node
Peer nodes perform the indexing function for the cluster. They receive and index
incoming data. They also send replicated data to other peer nodes in the cluster
and receive replicated data from other peers. A peer node can index its own
external data while simultaneously receiving and sending replicated data. Like all
indexers, peers also search across their indexed data in response to search
requests from the search head.
The number of peer nodes you deploy is dependent on two factors: the cluster
replication factor and the indexing load. For example, if you have a replication
factor of 3 (which means you intend to store three copies of your data), you need
at least three peers. If you have more indexing load than three indexers can
handle, you can add more peers to increase capacity.
92
Search head
The search head manages searches across the set of peer nodes. It distributes
search queries to the peers and consolidates the results. You initiate all searches
from the search head. A cluster must have at least one search head.
Forwarder
Important concepts
Replication factor
As part of configuring the master, you specify the number of copies of data that
you want the cluster to maintain. The number of copies is called the cluster's
replication factor. The replication factor is a key concept in index replication,
because it determines the cluster's failure tolerance: a cluster can tolerate a
failure of (replication factor - 1) peer nodes. For example, if you want to ensure
93
that your system can handle the failure of two peer nodes, you must configure a
replication factor of 3, which means that the cluster stores three identical copies
of your data on separate nodes. If two peers go down, the data is still available
on a third peer. The default value for the replication factor is 3.
In this diagram, one peer is receiving data from a forwarder, which it processes
and then streams to two other peers. The cluster will contain three complete
copies of the peer's data. This diagram represents a very simplified version of
peer replication, where all data is coming into the system through a single peer.
In most three-peer clusters, all three peers would be receiving external data from
a forwarder, as well as replicated data from other peers.
For a detailed discussion of the replication factor and the trade-offs involved in
adjusting its value, see the topic Replication factor.
Search factor
When you configure the master, you also designate a search factor. The search
factor determines the number of immediately searchable copies of data the
cluster maintains.
94
Searchable copies of data require more storage space than non-searchable
copies, so it is best to limit the size of your search factor to fit your exact needs.
For most purposes, use the default value of 2. This allows the cluster to continue
searches with little interruption if a single peer node goes down.
For a detailed discussion of the search factor and the trade-offs involved in
adjusting its value, see the topic Search factor.
Buckets
Buckets contain two types of files: a rawdata file, which contains the data along
with some metadata, and - for searchable copies of buckets - index files into the
data.
The cluster replicates data on a bucket-by-bucket basis. The original bucket and
its copies on other peer nodes have identical sets of rawdata. Searchable copies
also contain the index files.
Each time a peer creates a new bucket, it communicates with the master to get a
list of peers to stream the bucket's data to. If you have a cluster in which the
number of peer nodes exceeds the replication factor, a peer might stream data to
a different set of peers each time it creates a new bucket. Eventually, the copies
of the peer's original buckets are likely to be spread across a large number of
peers, even if the replication factor is only 3.
95
You need a good grasp of buckets to understand cluster architecture. For an
overview of buckets in general, read How the indexer stores indexes. Then read
the topic Buckets and indexer clusters. It provides detailed information on bucket
concepts of particular importance for a clustered deployment.
Clustered indexing functions like non-clustered indexing, except that the cluster
stores multiple copies of the data. Each peer node receives, processes, and
indexes external data - the same as any non-clustered indexer. The key
difference is that the peer node also streams, or "replicates", copies of the
processed data to other peers in the cluster, which then store those copies in
their own buckets. Some of the peers receiving the processed data might also
index it. The replication factor determines the number of peers that receive the
copies of data. The search factor determines the number of peers that index the
data.
A peer node can be indexing external data while simultaneously storing, and
potentially indexing, copies of replicated data sent to it from other peers. For
example, if you have a three-peer cluster configured with a replication factor of 3,
each peer can be ingesting and indexing external data while also storing copies
of replicated data streamed to it by the other peers. If the cluster's search factor
is 2, one of the peers receiving a copy of streamed data will also index it. (In
addition, the peer that originally ingests the data always indexes its own copy.)
This diagram shows the movement of data into peers, both from forwarders and
from other peers:
96
You can set up your cluster so that all the peer nodes ingest external data. This
is the most common scenario. You do this simply by configuring inputs on each
peer node. However, you can also set up the cluster so that only a subset of the
peer nodes ingest data. No matter how you disperse your inputs across the
cluster, all the peer nodes can, and likely will, also store replicated data. The
master determines, on a bucket-by-bucket basis, which peer nodes will get
replicated data. You cannot configure this, except in the case of multisite
clustering, where you can specify the number of copies of data that each site's
set of peers receives.
In addition to replicating indexes of external data, the peers also replicate their
internal indexes, such as _audit, _internal, etc.
The master manages the peer-to-peer interactions. Most importantly, it tells each
peer what peers to stream its data to. Once the master has communicated this,
the peers then exchange data with each other, without the master's involvement,
unless a peer node goes down. The master also keeps track of which peers have
searchable data and ensures that there are always search factor number of
copies of searchable data available. When a peer goes down, the master
coordinates remedial activities.
For detailed information, read the topic How clustered indexing works.
For information on how indexing works with SmartStore indexes, see How
indexing works in SmartStore.
To ensure that exactly one copy of each bucket participates in a search, one
searchable copy of each bucket in the cluster is designated as primary.
Searches occur only across the set of primary copies.
The set of primary copies can change over time, for example, in response to a
peer node going down. If some of the bucket copies on the downed node were
97
primary, other searchable copies of those buckets will be made primary to
replace them. If there are no other searchable copies (because the cluster has a
search factor of 1), non-searchable copies will first have to be made searchable
before they can be designated as primary.
The master rebalances primaries across the set of peers whenever a peer joins
or rejoins the cluster, in an attempt to improve distribution of the search load. See
Rebalance the indexer cluster primary buckets.
The master keeps track of all bucket copies on all peer nodes, and the peer
nodes themselves know the status of their bucket copies. That way, in response
to a search request, a peer knows which of its bucket copies to search.
Periodically, the search head gets a list of active search peers from the master.
To handle searches, it then communicates directly with those peers, as it would
for any distributed search, sending search requests and knowledge bundles to
the peers and consolidating search results returned from the peers.
For detailed information, read the topic How search works in an indexer cluster.
For information on how search works with SmartStore indexes, see How search
works in SmartStore.
If a peer node goes down, the master coordinates attempts to reproduce the
peer's buckets on other peers. For example, if a downed node was storing 20
copies of buckets, of which 10 were searchable (including three primary bucket
copies), the master will direct efforts to create copies of those 20 buckets on
other nodes. It will likewise attempt to replace the 10 searchable copies with
searchable copies of the same buckets on other nodes. And it will replace the
98
primary copies by changing the status of corresponding searchable copies on
other peers from non-primary to primary.
If there are less peer nodes remaining than the number specified by the
replication factor, the cluster will not be able to replace the 20 missing copies.
For example, if you have a three-node cluster with a replication factor of 3, the
cluster cannot replace the missing copies when a node goes down, because
there is no other node where replacement copies can go.
Except in extreme cases, however, the cluster should be able to replace the
missing primary bucket copies by designating searchable copies of those
buckets on other peers as primary, so that all the data continues to be accessible
to the search head.
The only case in which the cluster cannot maintain a full set of primary copies is
if a replication factor number of nodes goes down. For example, if you have a
cluster of five peer nodes, with a replication factor of 3, the cluster will still be
able to maintain a full set of primary copies if one or two peers go down but not if
a third peer goes down.
The search factor determines whether full search capability can quickly resume
after a node goes down. To ensure rapid recovery from one downed node, the
search factor must be set to at least 2. That allows the master to immediately
replace primaries on the downed node with existing searchable copies on other
nodes.
If instead the search factor is set to 1, that means the cluster is maintaining just a
single set of searchable bucket copies. If a peer with some primary copies goes
down, the cluster must first convert a corresponding set of non-searchable copies
on the remaining peers to searchable before it can designate them as primary to
replace the missing primaries. While this time-intensive process is occurring, the
cluster has an incomplete set of primary buckets. Searches can continue, but
only across the available primary buckets. Eventually, the cluster will replace all
the missing primary copies. Searches can then occur across the full set of data.
If, on the other hand, the search factor is at least 2, the cluster can immediately
assign primary status to searchable copies on the remaining nodes. The activity
to replace the searchable copies from the downed node will still occur, but in the
meantime searches can continue uninterrupted across all the cluster's data.
99
For detailed information on peer failure, read the topic What happens when a
peer node goes down.
For information on how a multisite cluster handles peer node failure, read How
multisite indexer clusters deal with peer node failure.
If a master node goes down, peer nodes can continue to index and replicate
data, and the search head can continue to search across the data, for some
period of time. Problems eventually will arise, however, particularly if one of the
peers goes down. There is no way to recover from peer loss without the master,
and the search head will then be searching across an incomplete set of data.
Generally speaking, the cluster continues as best it can without the master, but
the system is in an inconsistent state and results cannot be guaranteed.
For detailed information on master failure, read the topic What happens when a
master node goes down.
• Clusters have three types of nodes: master, peers, and search heads.
100
• Each cluster has exactly one master node.
• The cluster can have any number of peer nodes and search heads.
• The master node controls the entire cluster. Although the master resides
physically on a site, the master is not actually a member of any site.
However, each master has a built-in search head, and that search head
requires that you specify a site for the master as a whole. Note that the
master's search head is for testing purposes only. Do not use it in a
production environment.
• This is an example of a cluster that has been configured for search affinity.
Each site has its own search head, which searches the set of peer nodes
on its site. Depending on circumstances, however, a search head might
101
also search peers outside its own site. See Multisite searching and search
affinity.
• The peers replicate data across site boundaries. This behavior is
fundamental for both disaster recovery and search affinity.
In this particular example, the replication factor explicitly specifies all sites, but
that is not a requirement. An explicit site is a site that the replication factor
explicitly specifies. A non-explicit site is a site that the replication factor does
not explicitly specify.
Note: In this example, the total value cannot be 4. It must be at least 5. This is
because, when the replication factor has non-explicit sites, the total must be at
least the sum of all explicit site and origin values.
For details on replication factor syntax and behavior, read "Configure the site
replication factor".
102
The site search factor works the same way. For details, read "Configure the site
search factor".
Multisite indexing
This section briefly describes the main multisite differences, using the example of
a three-site cluster with this replication factor:
• Multisite replication has the concept of the origin site, which allows the
cluster to handle data differently for the site that it originates on. The
example illustrates this. If site1 originates the data, it gets two copies. If
another site originates the data, site1 gets only one copy.
• As with single-site replication, you cannot specify the exact peers that will
receive the replicated data. However, you can specify the sites whose
peers will receive the data.
For information on how the cluster handles migrated single-site buckets, see
"Migrate an indexer cluster from single-site to multisite".
103
To accomplish this, you configure the search factor so that each site has at least
one full set of searchable data. The master then ensures that each site has a
complete set of primary bucket copies, as long as the sites are functioning
properly. This is known as the valid state.
With search affinity, the search heads still distribute their search requests to all
peers in the cluster, but only the peers on the same site as the search head
respond to the request by searching their primary bucket copies and returning
results to the search head.
If the loss of some of a site's peers means that it no longer has a full set of
primaries (and thus is no longer in the valid state), bucket fix-up activities will
attempt to return the site to the valid state. During the fix-up period, peers on
remote sites will participate in searches, as necessary, to ensure that the search
head still gets a full set of results. After the site regains its valid state, the search
head once again uses only local peers to fulfill its searches.
Note: You can disable search affinity if desired. When disabled for a particular
search head, that search head can get its data from peers on any sites.
For more information on search affinity and how to configure the search factor to
support it, see "Implement search affinity in a multisite indexer cluster". For more
information on the internals of search processing, including search affinity, see
"How search works in an indexer cluster".
The way that multisite clusters deal with node failure has some significant
differences from single-site clusters.
Important: Before reading this section, you must understand the concept of a
"reserve" bucket copy. A reserve copy is a copy awaiting assignment to a peer.
As a consequence of multisite peer node failure, some bucket copies might not
be immediately assigned to a peer. For example, in a cluster with a total
replication factor of 5, the master might tell the originating peer to stream buckets
to just three other peers. This results in four copies (the original plus the three
streamed copies), with the fifth copy awaiting assignment to a peer once certain
conditions are met. The fifth, unassigned copy is known as a reserve copy. This
section describes how the cluster must sometimes reserve copies when peer
nodes fail.
104
How multisite clusters deal with peer node failure
When a peer goes down, bucket fix-up happens within the same site, if possible.
The cluster tries to replace any missing bucket copies by adding copies to peers
remaining on that site. (In all cases, each peer can have at most one copy of any
particular bucket.) If it is not possible to fix up all buckets by adding copies to
peers within the site, then, depending on the replication and search factors, the
cluster might make copies on peers on other sites.
The fix-up behavior under these circumstances depends partially on whether the
failed peer was on an explicit or non-explicit site.
If enough peers go down on an explicit site such that the site can no longer meet
its site-specific replication factor, the cluster does not attempt to compensate by
making copies on peers on other sites. Rather, it assumes that the requisite
number of peers will eventually return to the site. For new buckets also, it holds
copies in reserve for the return of peers to the site. In other words, it does not
assign those copies to peers on a different site, but instead waits until the first
site has peers available and then assigns the copies to those peers.
For example, given a three-site cluster (site1, site2, site3) with this replication
factor:
When a non-explicit site loses enough peers such that it can no longer maintain
the number of bucket copies that it already has, the cluster compensates by
adding copies to other sites to make up the difference. For example, assume that
the non-explicit site3 in the example above has two copies of some bucket, and
that it then loses all but one of its peers, so that it can only hold one copy of each
bucket. The cluster compensates by streaming a copy of that bucket to a peer on
one of the other sites, assuming there is at least one peer that does not yet have
a copy of that bucket.
For information on how a cluster handles the case where all the peer nodes on a
site fail, see See "How the cluster handles site failure".
105
How the cluster handles site failure
Site failure is just a special case of peer node failure. Cluster fix-up occurs
following the rules described earlier for peer node failure. Of particular note, the
cluster might hold copies in reserve against the eventual return of the site.
For any copies of existing buckets that are held in reserve, the cluster does not
add copies to other sites during its fix-up activities. Similarly, for any new buckets
added after the site goes down, the cluster reserves some number of copies until
the site returns to the cluster.
• For explicit sites, the cluster reserves the number of copies and
searchable copies specified in the site's search and replication factors.
• For non-explicit sites, the cluster reserves one searchable copy if the
total components of the site's search and replication factors are
sufficiently large, after handling any explicit sites, to accommodate the
copy. (If the search factor isn't sufficiently large but the replication factor is,
the cluster reserves one non-searchable copy.)
For example, say you have a three-site cluster with two explicit sites (site1 and
site2) and one non-explicit site (site3), with this configuration:
Once the reserved copies are accounted for, the cluster replicates any remaining
copies to other available sites, both during fix-up of existing buckets and when
adding new buckets.
When the site returns to the cluster, bucket fix-up occurs for that site to the
degree necessary to ensure that the site has, at a minimum, its allocation of
reserved bucket copies, both for new buckets and for buckets that were on the
site when it went down.
106
If the site that fails is the site on which the master resides, you can bring up a
stand-by master on one of the remaining sites. See "Handle indexer cluster
master site failure".
A multisite cluster handles master node failure the same as a single-site cluster.
The cluster continues to function as best it can under the circumstances. See
"What happens when a master node goes down".
107
Deploy the indexer cluster
Before you attempt to deploy a cluster, you must be familiar with several areas of
Splunk Enterprise administration:
Important: This chapter assumes that you are deploying independent search
heads in the indexer cluster. For information on how to incorporate search heads
that are members of a search head cluster, see "Integrate the search head
cluster with an indexer cluster" in the Distributed Search manual.
108
Deploying a multisite cluster?
Deploy a cluster
When you deploy a cluster, you enable and configure the cluster master and the
peer nodes that perform the indexing. You also enable a search head to search
data in the cluster. In addition, you usually set up forwarders to send data to the
cluster. Here is a diagram of a small cluster, showing the various nodes that you
deploy:
a. Understand your data availability and failover needs. See "About indexer
clusters".
109
because they allow you to distribute copies of your data across multiple
locations. They also enable search affinity, which reduces network traffic by
limiting searches to local data. For more information, read "Multisite indexer
clusters".
c. Decide what replication factor you want to implement. The replication factor
is the number of copies of raw data that the cluster maintains. Your optimal
replication factor depends on factors specific to your environment, but essentially
involves a trade-off between failure tolerance and storage capacity. A higher
replication factor means that more copies of the data will reside on more peer
nodes, so your cluster can tolerate more node failures without loss of data
availability. But it also means that you will need more nodes and more storage to
handle the additional data. For multisite clusters, you also need to decide how
many copies to put on each site. For more information, see "Replication factor".
Warning: Make sure you start by choosing the right replication factor for your
needs. It is inadvisable to increase the replication factor after the cluster contains
a significant amount of data. The cluster would need to perform a large amount
of bucket copying to match the increased replication factor, slowing significantly
the overall performance of your cluster while the copying is occurring.
d. Decide what search factor you want to implement. The search factor tells the
cluster how many searchable copies of indexed data to maintain. This helps
determine the speed with which a cluster can recover from a downed node. A
higher search factor allows the cluster to recover more quickly, but it also
requires more storage space and processing power. For most single-site
deployments, the default search factor value of 2 represents the right trade-off,
allowing searches usually to continue with little interruption when a node goes
down. For multisite clusters, you also need to decide how many searchable
copies to put on each site. For more information, see "Search factor".
Warning: Make sure you start by choosing the right search factor for your needs.
It is inadvisable to increase the search factor after the cluster contains a
significant amount of data. The cluster would need to perform a large amount of
processing (transforming non-searchable bucket copies into searchable copies)
to match the increased search factor, and this will have an adverse effect on the
overall performance of your cluster while the processing is occurring.
e. Identify other factors that also determine the size of your cluster; for example,
the quantity of data you will be indexing. It usually makes sense to keep all your
indexers in a single cluster, so for horizontal scaling, you will need to add peer
nodes beyond those required by the replication factor. Similarly, depending on
the anticipated search load, you might need to add more than one search head.
110
f. Study the topic "System requirements and other deployment considerations for
indexer clusters" for information on other key issues.
• You need at least the replication factor number of peer nodes, but you
might want to add more peers to boost indexing capacity, as mentioned in
step 1e.
• You also need two more instances, one for the master node and the
other for the search head.
For multisite clusters, you must also take into account the search head and peer
node requirements of each site, as determined by your search affinity and
disaster recovery needs. See "Multisite indexer cluster deployment overview".
For information on how to install Splunk Enterprise, read the Installation Manual.
a. Configure the peers' index settings. This step is necessary only if you need to
augment the set of default indexes and apps. In general, all the peers must use
the same set of indexes, so if you add indexes (or apps that define indexes) to
one peer, you must add them to all peers, using a cluster-specific distribution
method. There might also be other configurations that you need to coordinate
across the set of peers. See "Prepare the peers for index replication" for
information on how to do this.
b. Configure the peers' data inputs. For most purposes, it is best to use
forwarders to send data to the peers, as discussed in "Ways to get data into an
indexer cluster". As that topic states, you will usually want to deploy
load-balancing forwarders with indexer acknowledgment enabled.
111
After you enable the nodes and set up data inputs for the peers, the cluster
automatically begins indexing and replicating the data.
5. Configure the master node to forward its data to the peer nodes. This
best practice provides several advantages. See "Best practice: Forward master
node data to the indexer layer".
Read this topic carefully if you plan to migrate your current set of indexers
to a cluster.
Neither the deployment server nor any third party deployment tool (such as
Puppet or CFEngine, among others) is supported as a means to distribute
112
configurations or apps to cluster peers (indexers).
To distribute configurations across the set of cluster peers, instead use the
configuration bundle method outlined in the topic "Update common peer
configurations". As that topic explains, the configuration bundle method involves
first placing peer apps on the master node, which then distributes those apps to
the peer nodes in a coordinated fashion.
For information on how to migrate app distribution from the deployment server to
the configuration bundle method, see "Migrate apps to a cluster".
Note: You can use deployment server to distribute updates to search heads in
indexer clusters, as long as they are standalone search heads. You cannot use
the deployment server to distribute updates to members of a search head
cluster.
113
The primary one is indexer acknowledgment. In addition, the need to
store, and potentially index, replicated data coming from other peer nodes
has some affect on performance.
• When restarting cluster peers, you should use Splunk Web or one of the
cluster-aware CLI commands, such as splunk offline or splunk
rolling-restart. Do not use splunk restart. For details, see "Restart
the entire indexer cluster or a single cluster node."
For example, to deploy a cluster consisting of three peers, one master, and one
search head, you need five Splunk Enterprise instances running on five
machines connected over a network. And all machines must be running the
same operating system.
114
These are some additional issues to be aware of:
Each cluster node must reside on its own Splunk Enterprise instance. Therefore,
the cluster must consist of at least (replication factor + 2) instances: a minimum
of replication factor number of peer nodes, plus one master node and one or
more search heads. For example, if you want to deploy a cluster with a
replication factor of 3, you must set up at least five instances: three peers, one
master, and one search head. To learn more about the replication factor, see
"Replication factor" in this manual.
The size of your cluster depends on other factors besides the replication factor,
such as the amount of data you need to index. See "Indexer cluster deployment
overview".
Important: While the master has search capabilities, you should only use those
capabilities for debugging purposes. The resources of the master must be
dedicated to fulfilling its critical role of coordinating cluster activities. Under no
circumstances should the master be employed as a production search head. See
"Additional roles for the master node".
• The master node must run the same or a later version from the peer
nodes and search heads.
• The search heads must run the same or a later version from the peer
nodes.
• The peer nodes must all run exactly the same version, down to the
maintenance level.
115
Compatibility between the master and the peer nodes and search heads
Peer nodes and search heads can run different versions from the master, subject
to these restrictions:
• The master node must run the same or a later version than the peer
nodes and search heads.
• The master node can run at most three minor version levels later than the
peer nodes. For example, a 7.0 master node can run against 6.6, 6.5, and
6.4 peer nodes, but not 6.3 peer nodes.
Note: Mixed-version clusters are available only with recent versions of Splunk
Enterprise:
To run a 6.2 or later master against 6.1 peer nodes, you must set the attribute
use_batch_mask_changes in the master's server.conf file to false:
Caution: After upgrading all peer nodes to 6.2 or later, you must revert
use_batch_mask_changes to true.
All peer nodes must run the same version of Splunk Enterprise, down to the
maintenance level. You must update all peer nodes to a new release at the same
time. You cannot, for example, run an indexer cluster with some peer nodes at
6.n.2 and others at 6.n.1.
Starting with 6.3, the peer nodes and search heads can run different versions
from each other. The search heads must run the same or a later version from the
116
peer nodes.
Machine requirements
Each node of the cluster (master node, peer nodes, and search heads) must run
on its own, separate machine or virtual machine. Other than that, the hardware
requirements, aside from storage, are basically the same as for any Splunk
Enterprise instance. See "Reference hardware" in the Capacity Planning Manual.
The main difference is in the storage requirements for peer nodes, discussed
below.
Note: The storage needs of the master node are significantly lower than those
specified in the "Reference hardware" topic, since the master does not index
external data.
All indexer cluster nodes (master node, peer nodes, and search heads) must run
on the same operating system.
If the indexer cluster is integrated with a search head cluster, then the search
head cluster instances, including the deployer, must run on the same operating
system as the indexer cluster nodes.
It is important that you synchronize the system clocks on all machines, virtual or
physical, that are running Splunk Enterprise instances participating in the cluster.
Specifically, this means your master node, peer nodes, and search heads.
Otherwise, various issues can arise, such as timing problems between the
master and peer nodes, search failures, or premature expiration of search
117
artifacts.
The synchronization method you use depends on your specific set of machines.
Consult the system documentation for the particular machines and operating
systems on which you are running Splunk Enterprise. For most environments,
Network Time Protocol (NTP) is the best approach.
Storage considerations
When determining storage requirements for your clustered indexes, you need to
consider the increased capacity, across the set of peer nodes, necessary to
handle the multiple copies of data.
It is strongly recommended that you provision all peer nodes to use the same
amount of disk storage.
Clusters use the usual settings for managing index storage, as described in
"Configure index storage".
With a cluster, in addition to considering the volume of incoming data, you must
consider the replication factor and search factor to arrive at your total storage
requirements across the set of peer nodes. With a replication factor of 3, you are
storing three copies of your data. You will need extra storage space to
accommodate these copies, but you will not need three times as much storage.
Replicated copies of non-searchable data are smaller than copies of searchable
data, because they include only the data and not the associated index files. So,
for example, if your replication factor is 3 and your search factor is 2, you will
need more than two, but less than three, times the storage capacity compared to
storing the same data on non-clustered indexers.
Exactly how much less storage your non-searchable copies require takes some
investigation on your part. The index files excluded by non-searchable copies
can vary greatly in size, depending on factors described in "Estimating your
118
storage requirements" in the Installation Manual.
As a ballpark figure, incoming syslog data, after it has been compressed and
indexed, occupies approximately 50% of its original size:
In practice, this estimate can vary substantially, based on the factors described in
"Estimating your storage requirements" in the Installation Manual.
Assume you have 100GB of syslog data coming into Splunk Enterprise. In the
case of a non-clustered indexer, that data would occupy approximately 50GB
(50% of 100GB) of storage on the indexer. However, in the case of clusters,
storage calculations must factor in the replication factor and search factor to
arrive at total storage requirements across all the cluster peers. (As mentioned
earlier, you cannot easily predict exactly how much storage will be required on
any specific peer.)
119
♦ Total rawdata = (15GB * 5) = 75GB.
♦ Total index files = (35GB * 3) = 105 GB.
Storage hardware
Licensing information
There are just a few license issues that are specific to index replication:
• All cluster nodes, including masters, peers, and search heads, need to be
in an Enterprise license pool, even if they're not expected to index any
data.
• Cluster nodes must share the same licensing configuration.
• Only incoming data counts against the license; replicated data does not.
• You cannot use index replication with a free license.
• On the master:
♦ The management port (by default, 8089) must be available to all
other cluster nodes.
• On each peer:
♦ The management port must be available to all other cluster nodes.
♦ The replication port must be available to all other peer nodes.
♦ The receiving port must be available to all forwarders sending data
to that peer.
• On each search head:
♦ The management port must be available to all other nodes.
120
♦ The http port (by default, 8000) must be available to any browsers
accessing data from the search head.
For information on how to migrate app distribution from deployment server to the
configuration bundle method, see "Migrate apps to a cluster".
As a general rule, you should dedicate the Splunk Enterprise instance running
the master node to that single purpose. Constrain use of the master's built-in
search head to debugging only.
• License master
• Monitoring console
• Search head cluster deployer
To use the master instance for any of these additional roles, the master's cluster
must remain below the following limits:
• 30 indexers
• 100,000 buckets
• 10 indexes
• 10 search heads
121
For a general discussion of management component colocation, see
Components that help to manage your deployment in the Distributed Deployment
Manual.
A cluster has one, and only one, master node. The master node coordinates the
activities of the peer nodes. It does not itself store or replicate data (aside from its
own internal data).
You must enable the master node as the first step in deploying a cluster, before
setting up the peer nodes.
The procedure in this topic explains how to use Splunk Web to enable a master
node. You can also enable a master in two other ways:
• Directly edit the master's server.conf file. See "Configure the master with
server.conf" for details. Some advanced settings can only be configured
by editing this file.
• Use the CLI edit cluster-config command. See "Configure the master
with the CLI" for details.
Important: This topic explains how to enable a master for a single-site cluster
only. If you plan to deploy a multisite cluster, see "Configure multisite indexer
clusters with server.conf".
122
2. In the Distributed environment group, click Indexer clustering.
The message appears, "You must restart Splunk for the master node to become
active. You can restart Splunk from Server Controls."
7. Click Go to Server Controls. This takes you to the Settings page where you
can initiate the restart.
Important: When the master starts up for the first time, it will block indexing on
the peers until you enable and restart the full replication factor number of peers.
Do not restart the master while it is waiting for the peers to join the cluster. If you
do, you will need to restart the peers a second time.
After the restart, log back into the master and return to the Clustering page in
Splunk Web. This time, you see the master clustering dashboard. For information
123
on the dashboard, see "View the master dashboard".
Before enabling the set of peers, you must enable and restart the master node,
as described in "Enable the master node". When the master starts up for the first
time, it will block indexing on the peers until you have enabled and restarted the
replication factor number of peers.
The procedure in this topic explains how to use Splunk Web to enable a peer
node. You can also enable a peer in two other ways:
• Directly edit the peer's server.conf file. See "Configure peer nodes with
server.conf" for details.
• Use the CLI edit cluster-config command. See "Configure peer nodes
with the CLI" for details.
Important: This topic explains how to enable a peer for a single-site cluster only.
If you plan to deploy a multisite cluster, see "Configure multisite indexer clusters
with server.conf".
124
4. Select Peer node and click Next.
• Master URI. Enter the master's URI, including its management port. For
example: https://10.152.31.202:8089.
• Peer replication port. This is the port on which the peer receives
replicated data streamed from the other peers. You can specify any
available, unused port for this purpose. This port must be different from
the management or receiving ports.
• Security key. This is the key that authenticates communication between
the master and the peers and search heads. The key must be the same
across all cluster nodes. Set the same value here that you previously set
on the master node.
The message appears, "You must restart Splunk for the peer node to become
active."
7. Click Go to Server Controls. This takes you to the Settings page where you
can initiate the restart.
When you have enabled the replication factor number of peers, the cluster can
start indexing and replicating data, as described in "Enable the master node".
After the restart, log back into the peer node and return to the Clustering page in
Splunk Web. This time, you see the peer's clustering dashboard. For information
on the dashboard, see "View the peer dashboard".
After enabling the peers, you need to perform additional configuration before you
start indexing data. For details, read these topics:
125
You might also need to configure some other settings on the peers. See "Peer
node configuration overview".
To search the cluster, you need to enable at least one search head in the
indexer cluster.
Before enabling the search head, you must enable and restart the master node,
as described in "Enable the master node".
The procedure in this topic explains how to use Splunk Web to enable a search
head. You can also enable a search head in two other ways:
• Directly edit the search head's server.conf file. See "Configure the search
head with server.conf" for details. Some advanced settings, including
multi-cluster search, can only be configured by editing this file.
• Use the CLI edit cluster-config command. See "Configure the search
head with the CLI" for details.
Important: This topic explains how to enable an individual search head for a
single-site cluster only:
126
4. Select Search head node and click Next.
• Master URI. Enter the master's URI, including its management port. For
example: https://10.152.31.202:8089.
• Security key. This is the key that authenticates communication between
the master and the peers and search heads. The key must be the same
across all cluster nodes. Set the same value here that you previously set
on the master node.
The message appears, "You must restart Splunk for the search node to become
active. You can restart Splunk from Server Controls."
7. Click Go to Server Controls. This takes you to the Settings page where you
can initiate the restart.
Next steps
Now that you have enabled the search head, you can:
After the restart, log back into the search head and return to the Clustering page
in Splunk Web. This time, you see the search head's clustering dashboard. See
"View the search head dashboard" for more information.
From the dashboard, you can add additional clusters for the search head to
search. For details, see "Search across multiple indexer clusters".
127
Add search heads to an indexer cluster
If you want to set up more search heads for an indexer cluster, just repeat the
enablement procedure for additional instances. If you want to deploy a search
head cluster, so that the search heads share configurations and jobs, see the
additional configuration instructions in the topic "Integrate the search head cluster
with an indexer cluster" in the Distributed Search manual.
The preferred approach is to forward the data directly to the indexers, without
indexing separately on the master. You do this by configuring the master as a
forwarder. These are the main steps:
1. Make sure that all necessary indexes exist on the indexers. This is
normally the case, unless you have created custom indexes on the master node.
Since _audit and _internal exist on indexers as well as the master, you do not
need to create separate versions of those indexes to hold the corresponding
master data.
128
2. Configure the master as a forwarder. Create an outputs.conf file on the
master node that configures it for load-balanced forwarding across the set of
peer nodes. You must also turn off indexing on the master, so that the master
does not both retain the data locally as well as forward it to the peers.
[tcpout]
defaultGroup = my_peers_nodes
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_peers_nodes]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997
This example assumes that each peer node's receiving port is set to 9997.
If you use only the default set of indexes and default configurations, you can start
replicating data right away. However, if you need to install apps or change
configurations on the peers, you usually must apply the set of changes to all
peers. In particular, if you need to add indexes (including indexes defined by an
app), you must do so in a way that ensures that the peers use a common set of
indexes.
For information on how to configure apps across peers, as well as other peer
configuration issues, read "Peer node configuration overview".
129
Use indexer clusters to scale indexing
The main purpose of indexer clusters is to enable index replication. However,
clusters can also be generally useful in scale-out deployment topologies as a
way to manage multiple indexers, even when index replication isn't a
requirement.
For example, say you want to create a deployment of three indexers and one
search head, so that you can index larger quantities of data than a single indexer
is capable of. The customary way of doing this, and the only way possible prior to
Splunk Enterprise 5.0, is to set up each of the indexers independently, add in a
search head, and then use a tool like deployment server to coordinate the
indexer configurations.
With clustering, you can instead configure this deployment scenario as a cluster,
with three peer nodes replacing the three independent indexers. Even if you don't
need index replication and its key advantages like data availability and disaster
tolerance, there are several reasons why it might be beneficial to use a cluster to
coordinate multiple indexer instances:
The main downsides of employing a cluster for scaling indexing capacity are
these:
130
Cluster peer management compared to deployment server
One useful cluster feature is the ability to manage and update the configuration
for all indexers (peer nodes) from a central location, the master node. In that
respect, it's similar in function to the deployment server. Unlike the deployment
server, however, cluster peer management does not have any concept of server
classes. Because of this, and because of the way clusters coordinate their
activities, you cannot specify different app or indexes.conf configurations for
different groups of indexers. (All peer nodes in a cluster must use the same
indexes.conf configurations, as well as some other configurations, as described
in "Peer node configuration overview".) If you need to maintain a heterogeneous
set of indexers, you cannot employ clusters for scaling purposes.
On the other hand, the configuration bundle method used to download updates to
peer nodes has certain advantages over the deployment server. Specifically, it
not only distributes updates, it also validates them on the peers, and then (when
necessary) initiates a rolling restart of the peers. See "Update common peer
configurations" for details.
To set up a cluster for scale-out deployment, without index replication, just set
both the replication factor and search factor to 1. This causes the cluster to
function purely as a coordinated set of Splunk Enterprise instances, without data
replication. The cluster will not make any duplicate copies of the data, so you can
keep storage size and processing overhead to a minimum.
131
You can add a non-clustered indexer to a cluster (as a peer node) at any time.
To do so, just enable the indexer as a peer, as described in "Enable the peer
nodes".
Once the indexer has been made a peer, it participates in the cluster the same
as any other peer. Any new data coming into the peer gets replicated according
to the cluster's replication factor, and the peer is also a candidate for receiving
replicated data from other peers. Data already on the indexer does not get
automatically replicated, but it does participate in searches, as described below.
The term "legacy data" means data stored on an indexer prior to its conversion to
a cluster peer.
When you add an existing indexer to the cluster, the cluster does not replicate
any buckets that are already on the indexer.
Buckets already on the indexer prior to its being added to the cluster are called
"standalone" buckets. Searches will still occur across those buckets and will be
combined with search results from the cluster's replicated buckets.
132
so once you convert the indexers to cluster peer nodes. See "Key differences
between clustered and non-clustered deployments of indexers" for details.
To distribute apps to peer nodes, you must instead use the configuration
bundle method described in "Update common peer configurations and apps".
You place the apps in a special location on the master node, and the master
pushes the apps to each indexer when you first enable it as a peer. If you need
to add or change apps later on, you make the changes and additions on the
master and then tell the master to push the updated configuration bundle to the
entire set of peers.
For information on how the configuration bundle method compares with the
deployment server, see "Cluster peer management compared to deployment
server".
Important: You must use the configuration bundle method to distribute apps to
peer nodes; the deployment server is unsupported for that purpose.
It's recommended that you migrate apps at the time that you enable the cluster.
The procedure described below describes how to do that.
Important: You must be familiar with the preceding topics in the current chapter
before attempting this procedure. Start with "Indexer cluster deployment
overview" and read onwards until you return to this topic.
This procedure assumes that you are starting with a distributed search
environment with a set of indexers configured as deployment clients of a
deployment server. The deployment server is being used to push apps to the
indexers. It is these indexers that you will be converting to cluster peer nodes.
Once they've become peer nodes, you can no longer use the deployment server
to push apps to them; instead, you must use the configuration bundle method.
To migrate your apps at the time of cluster enablement, follow these steps:
2. On the deployment server, locate the set of apps that it pushes to the indexers
that you're planning to migrate. These should be under the deployment server's
$SPLUNK_HOME/etc/deployment-apps directory.
133
3. Copy these apps from the deployment server to the cluster master's
$SPLUNK_HOME/etc/master-apps directory. See "Structure of the configuration
bundle" for information on the master-apps directory.
4. Examine each app in master-apps for any indexes.conf file(s). In those files,
locate any stanzas that define new indexes. In each of those stanzas, add this
attribute/value pair:
repFactor=auto
This enables replication for the index. See "The indexes.conf repFactor attribute"
for more information.
Note: If you are the creator and maintainer of the app, you can also make this
change in $SPLUNK_HOME/etc/master-apps/<appname>/default/indexes.conf.
e. Verify that the master has pushed the expected set of apps to the peer's
$SPLUNK_HOME/etc/slave-apps directory.
6. Once all peers have been enabled, go to the master dashboard and verify that
the expected set of indexes is being replicated. This dashboard is described in
"View the master dashboard".
134
Upgrade an indexer cluster
The upgrade process differs considerably depending on the nature of the
upgrade. This topic covers these version-based scenarios:
To convert a single-site indexer cluster to multisite, perform the upgrade first and
then read Migrate an indexer cluster from single-site to multisite.
If you are upgrading from 6.x or 7.x, you can upgrade each cluster separately,
following the steps for tiered upgrades. See Upgrade each tier separately.
1. Follow the procedure in this topic for the type of indexer cluster upgrade
that fits your deployment.
2. Stop all search head cluster members during the step in the indexer
cluster upgrade that calls for stopping the search head.
3. Perform the remainder of the search head cluster upgrade steps during
the step in the indexer cluster upgrade that calls for upgrading the search
head, using the upgrade process described in Perform a non-rolling
upgrade in Distributed Search.
135
Upgrading an indexer cluster that does not have a custom
security key?
Starting in 6.6, a non-default security key is required. If the cluster's security key
was never explicitly set to a custom value, a warning message appears on the
master node:
To remediate this situation, you must set the security key on all the cluster nodes
(master, peer nodes, search heads) while the cluster is down. The key must be
the same across all cluster nodes.
You set the security key with the pass4SymmKey attribute in server.conf. See
Configure the security key.
To set the key during cluster upgrade, you must upgrade all cluster tiers at once,
following the procedure in Upgrade all tiers at once. Set the security key while all
nodes are down, so that they all have the same security key when they start up.
When upgrading a 6.x or 7.0 single-site indexer cluster to a later version, you
must take down and upgrade all peer nodes as a single operation. You cannot
perform a rolling, online upgrade of the peer nodes. If you have a multisite
cluster, however, you can upgrade one site at a time. See Site-by-site upgrade
for multisite indexer clusters.
You can upgrade all tiers of the cluster (master node, search heads, peer nodes)
at once or you can upgrade each tier separately.
The tiered approach is particularly useful if the search head tier consists of a
search head cluster, because it eliminates the need to upgrade the search head
cluster simultaneously with the indexer cluster peer nodes.
136
incompatibilities between node types running different versions.
To upgrade all cluster tiers at once, see Upgrade all tiers at once.
You can view the master dashboard to verify that all cluster nodes are up and
running.
137
• You must upgrade the tiers in the prescribed order.
• Within each tier, you must upgrade all nodes as a single operation.
Functionality introduced in the new release will not be available until all tiers
complete the upgrade.
You must follow this order of upgrade when upgrading the tiers in discrete
operations:
You can view the master dashboard to verify that all cluster nodes are up and
running.
The method that you use to upgrade the search head tier depends on whether or
not the tier consists of a search head cluster:
• If the search head tier consists of a search head cluster, follow the
procedure in Upgrade a search head cluster. If desired, you can perform a
rolling upgrade of the search head cluster, as described in that topic.
• If the search head tier consists of independent search heads, follow this
procedure:
138
the Installation Manual.
3. Start the search heads, if they are not already running.
You can view the master dashboard to verify that all cluster nodes are up and
running.
You can view the master dashboard to verify that all cluster nodes are up and
running.
When upgrading from 7.1 or later, you can perform a searchable rolling upgrade
of the indexer cluster. See Use rolling upgrade.
If you have a multisite cluster, you can upgrade one site at a time, as long as you
are upgrading across no more than one sequential n.n version (for example, from
6.5 to 6.6, or 6.6 to 7.0, but not 6.5 to 7.0). Because each site has a full set of
primary copies, this method allows searches to continue uninterrupted during the
upgrade.
Caution: You cannot perform a site-by-site upgrade if you are upgrading across
more than one sequential n.n version (for example, from 6.4 to 6.6 or 6.5 to 7.0).
To upgrade across multiple sequential n.n versions, you must take down all peer
139
nodes across all sites during the upgrade process. You can do so by following
either of the procedures outlined in Upgrade a 6.x or 7.x indexer cluster.
Functionality introduced in the new release will not be available until all nodes
complete the upgrade.
For a two-site cluster, the upgrade procedure has three distinct phases:
2. Upgrade the master node, following the normal procedure for any Splunk
Enterprise upgrade, as described in How to upgrade Splunk Enterprise in the
Installation Manual.
5. Stop all the peers and search heads on site1 with the splunk stop command.
7. Start the site1 peer nodes and search heads, if they are not already running.
140
9. Wait until the master dashboard shows that both the search factor and
replication factor are met.
10. Run splunk enable maintenance-mode on the master. To confirm that the
master is in maintenance mode, run splunk show maintenance-mode.
11. Stop all the peers and search heads on site2 with the splunk stop command.
13. Start the site2 peer nodes and search heads, if they are not already running.
14. Run splunk disable maintenance-mode on the master. To confirm that the
master is not in maintenance mode, run splunk show maintenance-mode.
You can view the master dashboard to verify that all cluster nodes are up and
running.
Caution: Even with a rolling upgrade, you should upgrade all nodes quickly, for
several reasons:
• Proper functioning of the cluster depends on all peer nodes running the
same version of Splunk Enterprise, as stated in System requirements and
other deployment considerations for indexer clusters.
• Other version compatibility requirements must also be met, as described
in tSystem requirements and other deployment considerations for indexer
clusters.
• If you upgrade the master but not the peers, the cluster might generate
errors and warnings. This is generally okay for a short duration, but you
should complete the upgrade of all nodes as quickly as possible.
To upgrade a cluster node, follow the normal procedure for any Splunk
Enterprise upgrade, with the few exceptions described below. For general
information on upgrading Splunk Enterprise instances, see How to upgrade
Splunk Enterprise.
141
1. Upgrade the master node
For information on what happens when the master goes down, as well as what
happens when it comes back up, see What happens when the master node goes
down.
The only impact to the cluster when you upgrade the search heads is disruption
to searches during that time.
Run splunk enable maintenance-mode on the master. To confirm that the master
is in maintenance mode, run splunk show maintenance-mode. This step prevents
unnecessary bucket fix-ups. See Use maintenance mode.
• To bring a peer down prior to upgrade, use the splunk offline command,
as described in Take a peer offline.
• During the interim between when you upgrade the master and when you
finish upgrading the peers, the cluster might generate various warnings
and errors.
• For multisite clusters, the site order of peer upgrades does not matter.
142
Upgrade from 5.x to 6.x or later
When you upgrade from a 5.x indexer cluster to a 6.x or later cluster, you must
take all cluster nodes offline. You cannot perform a rolling, online upgrade.
This command puts a list of all cluster bucket copies and their states into the file
$SPLUNK_HOME/var/run/splunk/cluster/buckets.xml. This list is fed back to the
master after the master upgrade.
When you bring down the peers, use the splunk stop command, not splunk
offline.
4. Upgrade the master node, following the normal procedure for any Splunk
Enterprise upgrade, as described in How to upgrade Splunk Enterprise in the
Installation Manual. Do not upgrade the peers yet.
6. Run the splunk apply cluster-bundle command, using the syntax described
in Update cluster peer configurations and apps. (This step is necessary to avoid
extra peer restarts, due to a 6.0 change in how the configuration bundle
checksum is calculated.)
143
7. Run splunk enable maintenance-mode on the master. To confirm that the
master is in maintenance mode, run splunk show maintenance-mode. This step
prevents unnecessary bucket fix-ups. See Use maintenance mode.
8. Upgrade the peer nodes and search heads, following the normal procedure for
any Splunk Enterprise upgrade, as described in How to upgrade Splunk
Enterprise in the Installation Manual.
9. Start the peer nodes and search heads, if they are not already running.
10. On the master, run the safe_restart_cluster_master script again, this time
with the freeze_from option, specifying the location of the bucket list created in
step 1:
11. Run splunk disable maintenance-mode on the master. To confirm that the
master is not in maintenance mode, run splunk show maintenance-mode.
You can view the master dashboard to verify that all cluster nodes are up and
running.
When a peer freezes a copy of a bucket, the master stops doing fix-ups on that
bucket. It operates under the assumption that the other peers will eventually
freeze their copies of that bucket as well.
This works well as long as the master continues to run. However, because (in
5.x) the knowledge of frozen buckets is not persisted on either the master or the
144
peers, if you subsequently restart the master, the master treats frozen copies (in
the case where unfrozen copies of that bucket still exist on other peers) as
missing copies and performs its usual fix-up activities to return the cluster to a
complete state. If the cluster has a lot of partially frozen buckets, this process can
be lengthy. Until the process is complete, the master is not able to commit the
next generation.
To prevent this situation from occurring when you restart the master after
upgrading to 6.0, you must run the safe_restart_cluster_master script on the
master. As described in the upgrade procedure, when you initially run this script
on the 5.x master with the --get_list option, it creates a list of all cluster bucket
copies and their states, including whether they are frozen. When you then rerun it
after upgrading the master to 6.x, using the freeze_from option, it feeds the list to
the upgraded master so that it does not attempt fix-up of the frozen buckets.
To perform steps 1 and 9 of the upgrade procedure, you must run the
safe_restart_cluster_master script. This script does not ship with the
product. To obtain the script, copy the listing directly below and save it as
$SPLUNK_HOME/bin/safe_restart_cluster_master.py.
Important: You must also copy and save the parse_xml_v3 script, as described
in the next section, The parse_xml_v3 script.
import httplib2
from urllib import urlencode
import splunk, splunk.rest, splunk.rest.format
from parse_xml_v3 import *
import json
import re
import time
import os
import subprocess
145
+'/services/cluster/master/buckets?count=-1',auth,'GET')
f.write(atom_buckets)
f.close()
def wait_for_peers(master_uri,auth,original_number):
while(num_peers_up(master_uri,auth) != original_number):
num_peers_not_up = original_number -
num_peers_up(master_uri,auth)
print "Still waiting for " +str(num_peers_not_up) +" peers to
join ..."
time.sleep(5)
print "All peers have joined"
return splunk.rest.format.parseFeedDocument(content)
146
h = httplib2.Http(disable_ssl_certificate_validation=True)
h.add_credentials(user, password)
if body is None:
body = {}
response, content = h.request(url, method, urlencode(body))
if response.status == 401:
raise Exception("Authorization Failed", url, response)
elif response.status != 200:
raise Exception(url, response)
return content
def freeze_from_file(master_uri,auth,path=BUCKET_LIST_PATH):
file = open(path) #read the buckets.xml from either path supplied or
BUCKET_LIST_PATH
handler = BucketHandler()
parse(file, handler)
buckets = handler.getBuckets()
fcount = 0
fdone = 0
for bid, bucket in buckets.iteritems():
if bucket.frozen:
fcount += 1
try:
freeze_bucket(master_uri,auth, bid)
fdone += 1
except Exception as e:
print e
print "Total bucket count:: ", len(buckets), "; number frozen: ",
fcount, "; number re-frozen: ", fdone
def restart_master(master_uri,auth):
change_quiet_period(master_uri,auth)
original_num_peers = num_peers_up(master_uri,auth)
147
print "\n" + "Waiting for all " +str(original_num_peers) + " peers
to come back up" +"\n"
wait_for_peers(master_uri,auth,original_num_peers)
if __name__ == '__main__':
usage = "usage: %prog [options] <master_uri> --auth admin:changeme"
parser = OptionParser(usage)
parser.add_option("-a","--auth", dest="auth",
metavar="user:password", default=':',
help="Splunk authentication parameters for the
master instance");
parser.add_option("-g","--get_list", action="store_true",help="get
a list of frozen buckets and strore them in buckets.xml");
parser.add_option("-f", "--freeze_from",dest="freeze_from",
help="path to the file that contains the list of
buckets to be frozen. ie path to the buckets.xml generated by the
get_list option above");
if len(args) == 0:
parser.error("master_uri is required")
elif len(args) > 1:
parser.error("incorrect number of arguments")
master_uri = args[0]
try:
validate_rest(master_uri, options.auth)
except Exception as e:
print "Failed to access the master info endpoint make sure
you've supplied the authentication credentials"
raise
# Let's get a list of frozen buckets, stored in
if(options.get_list):
print "Only getting the list of buckets and storing it at " +
BUCKET_LIST_PATH
get_buckets_list(master_uri,options.auth)
elif(options.freeze_from):
print "Reading the list of buckets from" + options.freeze_from
+ "and refreezing them"
freeze_from_file(master_uri,options.auth,options.freeze_from)
else:
print "Restarting the master safely to preserve knowledge of
frozen buckets"
get_buckets_list(master_uri,options.auth)
restart_master(master_uri,options.auth)
freeze_from_file(master_uri,options.auth,BUCKET_LIST_PATH)
148
The parse_xml_v3 script
import sys
from xml.sax import ContentHandler, parse
from optparse import OptionParser
class PeerBucketFlags:
def __init__(self):
self.primary = False
self.searchable = False
class Bucket:
def __init__(self):
self.peer_flags = {} # key is peer guid
self.frozen = False
class BucketHandler(ContentHandler):
def __init__(self):
ContentHandler.__init__(self)
self.buckets = {}
self.in_entry = False
self.in_peers = False
self.save_title = False
self.save_frozen = False
self.peer_nesting = 0
self.current_peer_flags = {}
self.current_guid = None
self.current_frozen_flag = ''
self.current_peer_field = None
self.current_peer_field_value = ''
self.current_bucket = ''
def getBuckets(self):
return self.buckets
def startDocument(self):
pass
def endDocument(self):
pass
149
if name == 'entry':
self.in_entry = True
elif self.in_entry and name == 'title':
self.save_title = True
elif self.in_entry and name == 's:key' and attrs.get('name') ==
'frozen':
self.save_frozen = True
elif name == 's:key' and attrs.get('name') == 'peers':
self.in_peers = True
elif self.in_peers and name == 's:key':
self.peer_nesting += 1
if self.peer_nesting == 1:
self.current_peer_flags = PeerBucketFlags()
self.current_guid = attrs.get('name').encode('ascii')
elif self.peer_nesting == 2:
self.current_peer_field =
attrs.get('name').encode('ascii')
self.current_peer_field_value = ''
def endElement(self,name):
if name == 'entry':
self.in_entry = False
self.current_bucket=''
elif self.save_title:
try:
(idx, local_id, origin_guid) =
self.current_bucket.split('~')
except ValueError as e:
print "Invalid? ", self._locator.getLineNumber()
print self.current_bucket
print e
raise
self.buckets[self.current_bucket] = Bucket()
self.save_title = False
elif self.save_frozen:
if self.current_frozen_flag in [1, '1', 'True', 'true']:
self.buckets[self.current_bucket].frozen = True
self.current_frozen_flag = ''
self.save_frozen = False
elif self.peer_nesting == 2 and name == 's:key':
if self.current_peer_field == 'bucket_flags':
self.current_peer_flags.primary =
(self.current_peer_field_value == '0xffffffffffffffff')
elif self.current_peer_field == 'search_state':
self.current_peer_flags.searchable =
self.current_peer_field_value == 'Searchable'
# Nesting level goes down in either case.
self.peer_nesting -= 1
elif self.peer_nesting == 1 and name == 's:key':
self.buckets[self.current_bucket].peer_flags[self.current_guid]
= self.current_peer_flags
self.peer_nesting -= 1
150
elif self.in_peers and self.peer_nesting == 0 and name ==
's:key':
self.in_peers = False
When the master restarts after an upgrade from 5.0.1 or earlier, it performs a
rolling restart on the set of peer nodes, to push the latest version of the
configuration bundle (with the renamed /_cluster directory).
Review the following requirements and considerations before you initiate a rolling
upgrade:
151
• All search heads and search head clusters must be running version 7.1.0
or later.
• Do not attempt any clustering maintenance operations, such as rolling
restart, bundle pushes, or node additions, during upgrade.
Hardware or network failures that prevent node shutdown or restart might require
manual intervention.
When you initiate a rolling upgrade, you select a peer and take it offline. During
the offline process, the master reassigns bucket primaries to other peers to retain
the searchable state, and the peer completes any in-progress searches within a
configurable timeout. See The fast offline process.
After the master shuts down the peer, you perform the software upgrade and
bring the peer back online, at which point the peer rejoins the cluster. You repeat
this process for each peer node until the rolling upgrade is complete.
• Peer upgrades occur one at a time based on the default search factor of
SF=2. With SF=3 or greater, you can upgrade the search factor minus one
number of peers at a time. For example, with SF=3 you can upgrade two
peers at a time.
• The peer waits for any in-progress searches to complete. It will wait up to
a maximum time period determined by the
decommission_search_jobs_wait_secs attribute in server.conf. The
default of 180 seconds is enough time for the majority of searches to
complete in most cases.
• Rolling upgrades apply to both historical searches and real-time searches.
In-progress searches that take longer than the default 180 seconds might
generate incomplete results and a corresponding error message. If you have a
scheduled search that must complete, either increase the
decommission_search_jobs_wait_secs value or do not perform a rolling upgrade
within the search's timeframe.
Before you perform a rolling upgrade, make sure the search_retry attribute in
the [search] stanza of limits.conf is set to false (the default). Setting this to
true might cause searches that take longer than the
decommission_search_jobs_wait_secs value to generate duplicate or partial
results without an error message.
152
Perform a rolling upgrade
On the master, run the splunk show cluster-status command with the verbose
option to confirm the cluster is in a searchable state:
153
idx2 81E52D67-6AC6-4C5B-A528-4CD5FEF08009 default
Searchable YES
Status Up
Bucket Count=14
Splunk Version=7.1.0
The output shows that the health check is successful, which indicates the cluster
is in a searchable state to perform a rolling upgrade.
For information on health check criteria, see Health check output details.
Health checks do not cover all potential cluster health issues. The checks apply
only to the criteria listed.
Or, send a GET request to the following endpoint to monitor cluster health:
cluster/master/health
If the endpoint output shows pre_flight_check: 1, then the health is successful.
You can use the cluster master dashboard to verify that all cluster nodes are up
and running. See View the master dashboard.
cluster/master/control/control/rolling_upgrade_init
This initializes the rolling upgrade and puts the cluster in maintenance mode.
154
For endpoint details, see cluster/master/control/control/rolling_upgrade_init in the
REST API Reference Manual.
splunk offline
Or, send a POST request to the following endpoint.
cluster/slave/control/control/decommission
The master reassigns bucket primaries, completes any ongoing searches, and
then shuts down the peer.
To monitor the status of the offline process, send a GET request to the following
enpoint:
cluster/master/peers/<peer-GUID>
If the response shows "ReassigningPrimaries", the peer is not yet shut down.
splunk start
155
The peer node starts and automatically rejoins the cluster.
cluster/master/peers/<peer-GUID>
For endpoint details, see cluster/master/peers/{name} in the REST API
Reference Manual.
cluster/master/control/control/rolling_upgrade_finalize
This completes the upgrade process and takes the cluster out of maintenance
mode.
156
Get data into the indexer cluster
There are several key reasons for using forwarders to send data to your cluster:
If you decide not to use forwarders to handle your data inputs, you can set up
inputs on each peer in the usual way; for example, by editing inputs.conf on the
peers. For information on configuring inputs, read "Configure your inputs" in the
157
Getting Data In Manual.
To use forwarders to get data into clusters, you must perform two types of
configuration:
Before continuing, you must be familiar with forwarders and how to use them to
get data into Splunk Enterprise. For an introduction to forwarders, read "About
forwarding and receiving" in the Forwarding Data manual. Subsequent topics in
that manual describe all aspects of deploying and configuring forwarders.
158
forwarders to peer nodes."
• When new peer nodes join the cluster, you do not need to reconfigure and
restart your forwarders to connect to the new peers. The forwarder
automatically gets the updated list of peers from the master. It uses load
balancing to forward to all peers in the list.
• You can add new forwarders without needing to determine the current set
of cluster peers. You just configure indexer discovery on the new
forwarders.
• You can use weighted load balancing when forwarding data across the
set of peers. With indexer discovery, the master can track the amount of
total disk space on each peer and communicate that information to the
forwarders. The forwarders then adjust the amount of data they send to
each peer, based on the disk capacity.
After you specify the connection between the forwarders and the receiving peers
using the method you prefer, you must specify the data inputs to each forwarder,
so that the forwarder has data to send to the cluster. You usually do this by
editing the forwarder's inputs.conf file.
Read the Getting Data In manual, starting with "What Splunk can index" for
detailed information on configuring data inputs. The topic in that manual entitled
"Use forwarders" provides an introduction to specifying data inputs on
forwarders.
159
In brief, indexer acknowledgment works like this: The forwarder sends data
continuously to the receiving peer, in blocks of approximately 64kB. The
forwarder maintains a copy of each block in memory until it gets an
acknowledgment from the peer. While waiting, it continues to send more data
blocks.
1. receives the block of data, parses and indexes it, and writes the data (raw data
and index data) to the file system.
The acknowledgment assures the forwarder that the data was successfully
written to the cluster. Upon receiving the acknowledgment, the forwarder
releases the block from memory.
If the forwarder does not receive the acknowledgment, that means there was a
failure along the way. Either the receiving peer went down or that peer was
unable to contact its set of target peers. The forwarder then automatically
resends the block of data. If the forwarder is using load-balancing, it sends the
block to another receiving node in the load-balanced group. If the forwarder is not
set up for load-balancing, it attempts to resend data to the same node as before.
Splunk forwarders perform "automatic load balancing". The forwarder routes data
to different nodes based on a specified time interval. For example, assume you
have a load-balanced group consisting of three peer nodes: A, B, and C. At the
interval specified by the autoLBFrequency attribute in outputs.conf (30 seconds
by default), the forwarder switches the data stream to another node in the group,
160
selected at random. So, every 30 seconds, the forwarder might switch from node
B to node A to node C, and so on. If one node is down, the forwarder
immediately switches to another.
Note: To expand on this a bit, each of the forwarder's inputs has its own data
stream. At the specified interval, the forwarder switches the data stream to the
newly selected node, if it is safe to do so. If it cannot safely switch the data
stream to the new node, it keeps the connection to the previous node open and
continues to send the data stream to that node until it has been safely sent.
Forwarders using the indexer discovery feature always use load balancing to
send data to the set of peer nodes. You can enable weighted load balancing,
which means that the forwarder distributes data based on each peer's disk
capacity. For example, a peer with a 400GB disk receives twice the data of a
peer with a 200GB disk. See "Use weighted load balancing."
Each forwarder queries the master node for a list of all peer nodes in the cluster.
It then uses load balancing to forward data to the set of peer nodes. In the case
161
of a multisite cluster, a forwarder can query the master for a list of all peers on a
single site.
1. The peer nodes provide the master with information on their receiving ports.
2. The forwarders poll the master at regular intervals for the list of available peer
nodes. You can adjust this interval. See Adjust the frequency of polling.
3. The master transmits the peer nodes' URIs and receiving ports to the
forwarders.
4. The forwarders send data to the set of nodes provided by the master.
In this way, the forwarders stay current with the state of the cluster, learning of
any peers that have joined or left the cluster and updating their set of receiving
peers accordingly.
In the case of a multisite cluster, each forwarder can identify itself as a member
of a site. In that case, the master transmits a list of all peer nodes for that site
only, and the forwarder limits itself to load balancing across that site. See Use
indexer discovery in a multisite cluster.
In addition, the peer nodes can use weighted load balancing to adjust the
amount of data they send to each peer based on that peer's relative disk
capacity. See Use weighted load balancing.
Note: If the master goes down, the forwarders will rely on their most recent list of
available peer nodes. However, the list does not persist through a forwarder
restart. Therefore, if a forwarder restarts while the master is down, it will not have
a list of peer nodes and will not be able to forward data, resulting in potential data
loss. Similarly, if a forwarder starts up for the first time, it must wait for the master
to return before it can get a list of peers.
These are the main steps for setting up connections between forwarders and
peer nodes, using indexer discovery:
162
2. Configure the master node to enable indexer discovery.
After you set up the connection, you must configure the data inputs on the
forwarders. See Configure the data inputs to each forwarder.
In order for a peer to receive data from forwarders, you must configure the peer's
receiving port. One way to specify the receiving port is to edit the peer's
inputs.conf file. For example, this setting in inputs.conf sets the receiving port to
9997:
[splunktcp://9997]
disabled = 0
Restart the peer node after making the change.
Caution: When using indexer discovery, each peer node can have only a single
configured receiving port. The port can be configured for either splunktcp or
splunktcp-ssl, but not for both. You must use the same method for all peer
nodes in the cluster: splunktcp or splunktcp-ssl.
When forwarding to a multisite cluster, you can configure the forwarder to send
data only to peers in a specified site. See Use indexer discovery in a multisite
cluster.
[indexer_discovery]
pass4SymmKey = <string>
polling_rate = <integer>
163
indexerWeightByDiskCapacity = <bool>
Note the following:
[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>
[tcpout:<target_group>]
indexerDiscovery = <name>
[tcpout]
defaultGroup = <target_group>
Note the following:
164
• In the [tcpout:<target_group>] stanza, set the indexerDiscovery
attribute, instead of the server attribute that you would use to specify the
receiving peer nodes if you were not enabling indexer discovery. With
indexer discovery, the forwarders get their list of receiving peer nodes
from the master, not from the server attribute. If both attributes are set,
indexerDiscovery takes precedence.
Note: This step is required to ensure end-to-end data fidelity. If that is not a
requirement for your deployment, you can skip this step.
To ensure that the cluster receives and indexes all incoming data, you must turn
on indexer acknowledgment for each forwarder.
[tcpout:<target_group>]
indexerDiscovery = <name>
useACK=true
For detailed information on configuring indexer acknowledgment, read Protect
against loss of in-flight data in the Forwarding Data manual.
Example
In this example:
[indexer_discovery]
pass4SymmKey = my_secret
indexerWeightByDiskCapacity = true
In each forwarder's outputs.conf:
165
[indexer_discovery:master1]
pass4SymmKey = my_secret
master_uri = https://10.152.31.202:8089
[tcpout:group1]
autoLBFrequency = 30
forceTimebasedAutoLB = true
indexerDiscovery = master1
useACK=true
[tcpout]
defaultGroup = group1
Use indexer discovery in a multisite cluster
In multisite clustering, the cluster is partitioned into sites, typically based on the
location of the cluster nodes. See Multisite indexer clusters. When using indexer
discovery with multisite clustering, you can configure each forwarder to be
site-aware, so that it forwards data to peer nodes only on a single specified site.
When you use indexer discovery with multisite clustering, you must assign a
site-id to all forwarders, whether or not you want the forwarders to be
site-aware.:
[general]
site = <site-id>
Note the following:
166
• If you want the forwarder to send data to all peers, across all sites, assign
a value of "site0".
• If you do not assign any id, the forwarder will not send data to any peer
nodes.
• See also Site values.
If you assign a forwarder to a specific site and that site goes down, the forwarder,
by default, will not fail over to another site. Instead, it will stop forwarding data if
there are no peers available on its assigned site. To avoid this issue, you must
configure the forwarder site failover capability.
For example:
[clustering]
forwarder_site_failover = site1:site2, site2:site3
This example configures failover sites for site1 and site2. If site1 fails, all
forwarders configured to send data to peers on site1 will instead send data to
peers on site2. Similarly, if site2 fails, all forwarders explicitly configured to send
data to peers on site2 will instead send data to peers on site3.
Note: The failover capability does not relay from site to site. In other words, in
the previous example, if a forwarder is set to site1 and site1 goes down, the
forwarder will then start forwarding to peers on site2. However, if site2
subsequently goes down, the site1 forwarder will not then failover to site3. Only
forwarders explicitly set to site2 will failover to site3. Each forwarder can have
only a single failover site.
The forwarders revert to their assigned site, as soon as any peer on that site
returns to the cluster. For example, assume that the master includes this
configuration:
[clustering]
forwarder_site_failover = site1:site2
When site1 goes down, such that there are no peers running on site1, the
forwarders assigned to site1 start sending data to peers on site2 instead. This
failover condition continues until a site1 peer returns to the cluster. At that point,
the forwarders assigned to site1 start forwarding to that peer. They no longer
167
forward to peers on site2.
When you enable indexer discovery, the forwarders always stream the incoming
data across the set of peer nodes, using load balancing to switch the data stream
from node to node. This operates in a similar way to how forwarders without
indexer discovery use load balancing, but with some key differences. In
particular, you can enable weighted load balancing.
In weighted load balancing, the forwarders take each peer's disk capacity into
account when they load balance the data. For example, a peer with a 400GB
disk receives approximately twice the data of a peer with a 200GB disk.
Important: The disk capacity refers to the total amount of local disk space on the
peer, not the amount of free space.
In other words, the forwarder uses weighted picking. So, if the forwarder has an
autoLBFrequency set to 60, then every sixty seconds, the forwarder switches the
data stream to a new indexer. If the load balancing is taking place across two
indexers, one with a 500GB disk and the other with a 100GB disk, the indexer
with the larger disk is five times as likely to be picked at each switching point.
indexer_disk_capacity/total_disk_capacity_of_indexers_combined
For a general discussion of load balancing in indexer clusters, see How load
balancing works.
168
Enable weighted load balancing
[indexer_discovery]
indexerWeightByDiskCapacity = <bool>
Note the following:
In some cases, you might want weighted load balancing to treat an indexer as
though it has a lower disk capacity than it actually has. You can use the
advertised_disk_capacity attribute to accomplish this. For example, if you set
that attribute to 50 (signifiying 50%) on an indexer with a 500GB disk, weighted
load balancing will proceed as though the actual disk capacity was 250GB.
[clustering]
advertised_disk_capacity = <integer>
Note the following:
Forwarders poll the master at regular intervals to receive the most recent list of
peers. In this way, they become aware of any changes to the set of available
peers and can modify their forwarding accordingly. You can adjust the rate of
polling.
The frequency of polling is based on the number of forwarders and the value of
the polling_rate attribute, configured in the master's server.conf file. The
169
polling interval for each forwarder follows this formula:
[indexer_discovery]
polling_rate = <integer>
Note the following:
You can configure indexer discovery with SSL. The process is nearly the same
as configuring without SSL, with just a few additions and changes:
1. Configure the peer nodes to receive data from forwarders over SSL.
The steps below provide basic configuration information only, focusing on the
differences when configuring for SSL. For full details on indexer discovery
configuration, see Configure indexer discovery.
170
1. Configure the peer nodes to receive data from forwarders over SSL
Edit each peer's inputs.conf file to specify the receiving port and to configure the
necessary SSL settings:
[splunktcp-ssl://9997]
disabled = 0
[SSL]
serverCert = <path to server certificate>
sslPassword = <certificate password>
[indexer_discovery]
pass4SymmKey = <string>
polling_rate = <integer>
indexerWeightByDiskCapacity = <bool>
This is the same as for configuring a non-SSL set-up.
[indexer_discovery:<name>]
pass4SymmKey = <string>
master_uri = <uri>
[tcpout:<target_group>]
indexerDiscovery = <name>
useACK = true
clientCert = <path to client certificate>
sslPassword = <CAcert password>
171
sslRootCAPath = < path to root certificate authority file>
[tcpout]
defaultGroup = <target_group>
Once you finish setting up the connection, you must configure the data inputs on
the forwarders. See "Configure the forwarder's data inputs".
In order for a peer to receive data from forwarders, you must configure the peer's
receiving port. For information on how to configure the receiving port, read
"Enable a receiver" in the Forwarding Data manual.
One way to specify the receiving port is to edit the peer's inputs.conf file. You can
simplify peer input configuration by deploying a single, identical inputs.conf file
across all the peers. The receiving port that you specify in the common copy of
inputs.conf will supersede any ports you enable on each individual peer. For
details on how to create and deploy a common inputs.conf across all peers,
read "Update common peer configurations".
When you set up a forwarder, you specify its receiving peer by providing the
peer's IP address and receving port number. For example: 10.10.10.1:9997. You
do this in the forwarder's outputs.conf file, as described in "Configure forwarders
with outputs.conf" in the Forwarding Data manual. To specify the receiving peer,
set the server attribute, like this:
172
server=10.10.10.1:9997
The receiving port that you specify here is the port that you configured on the
peer in step 1.
To set up the forwarder to use load-balancing, so that the data goes to multiple
peer nodes in sequence, you configure a load-balanced group of receiving peers.
For example, this attribute/value pair in outputs.conf specifies a load-balanced
group of three peers:
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997
To learn more about configuring load balancing, read "Set up load balancing" in
the Forwarding Data manual.
Note: There are several other ways that you can specify a forwarder's receiving
peer(s). For example:
• You can specify the receiving peer during universal forwarder deployment
(for Windows universal forwarders only), as described in Install a Windows
universal forwarder from an installer in the Universal Forwarder manual.
• You can specify the receiver with the CLI command add forward-server,
as described in Enable a receiver in the Forwarding Data manual.
To ensure that the cluster receives and indexes all incoming data, you must turn
on indexer acknowledgment for each forwarder.
173
[tcpout:<peer_target_group>]
useACK=true
For detailed information on configuring indexer acknowledgment, read Protect
against loss of in-flight data in the Forwarding Data manual.
[tcpout]
defaultGroup=my_LB_peers
[tcpout:my_LB_peers]
autoLBFrequency=40
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997
useACK=true
The forwarder starts by sending data to one of the peers listed for the server
attribute. After 40 seconds, it switches to another peer, and so on. If, at any time,
it doesn't receive acknowledgment from the current receiving node, it resends the
data, this time to the next available node.
174
Configure the indexer cluster
The settings for each node type handle different aspects of the cluster:
See the chapters on specific node types for information on configuring each node
type. The chapter "Configure the peers," for example, includes some topics on
configuring the peer cluster node settings and other topics that describe how to
configure the indexes that a peer uses.
• You can edit the configuration from the node's dashboard in Splunk Web,
as described in "Configure the indexer cluster with the dashboards".
• You can directly edit the [clustering] stanza in the node's server.conf
file. See "Configure the indexer cluster with server.conf" for details. To
configure some advanced settings, you must edit this file.
175
• You can use the CLI. See "Configure and manage the indexer cluster with
the CLI" for details.
1. Click Settings on the upper right side of Splunk Web on the node.
3. Select the Edit button on the upper right side of the dashboard.
This topic discusses some issues that are common to all node types.
176
Configure the various node types
For details on all the clustering attributes, including the advanced ones, read the
server.conf specification.
You set pass4SymmKey when you deploy the cluster. For details on how to set the
key on the master node, see Enable the indexer cluster master node. You also
set it when when enabling the peer nodes and search heads.
If you set the key directly in server.conf, you must set it inside the [clustering]
stanza for indexer clustering.
Important: Save a copy of the key in a safe place. Once an instance starts
running, the security key changes from clear text to encrypted form, and it is no
longer recoverable from server.conf. If you later want to add a new node, you
will need to use the clear text version to set the key.
For information on setting the security key for a combined search head cluster
and indexer cluster, see Integrate the search head cluster with an indexer cluster
in Distributed Search.
After you configure an instance as a cluster node for the first time, you need to
restart it for the change to take effect.
If you make a configuration change later on, you might not need to restart the
177
instance, depending on the type of change. Avoid restarting peers when
possible. Restarting the set of peers can result in prolonged amounts of
bucket-fixing.
Initial configuration
After initially configuring instances as cluster nodes, you need to restart all of
them (master, peers, and search head) for the changes to take effect. You can
do this by invoking the CLI restart command on each node:
$SPLUNK_HOME/bin/splunk restart
When the master starts up for the first time, it blocks indexing on the peers until
you enable and restart the replication factor number of peers. Do not restart the
master while it is waiting for the peers to join the cluster. If you do, you will need
to restart the peers a second time.
Important: Although you can use the CLI restart command when you initially
enable an instance as a cluster peer node, do not use it for subsequent restarts.
The restart command is not compatible with index replication once replication
has begun. For more information, including a discussion of safe restart methods,
read "Restart a single peer".
If you change any of the following attributes in the server.conf file, you do not
need to restart the node.
On a peer node:
• master_uri
• notify_scan_period
On a search head:
• master_uri
On a master node:
• quiet_period
• heartbeat_timeout
• restart_timeout
• max_peer_build_load
• max_peer_rep_load
• cluster_label
178
• access_logging_for_heartbeats
• use_batch_mask_changes
• percent_peers_to_restart
• summary_replication
Some clustering commands are available only for a specific node type, such as
the master node.
This topic discusses issues that are common to all node types.
You can use the CLI to enable any of the cluster node types or to change their
configurations later:
• To enable or edit a master node, see "Configure the master with the CLI".
• To enable or edit a peer node, see "Configure peer nodes with the CLI".
• To enable or edit a search head, see "Configure the search head with the
CLI".
For details on specific command-line options, read "Configure the indexer cluster
with server.conf".
179
Specify a security key
You specify a security key for the cluster by appending the -secret flag when
you enable each cluster node. For example, you specify it when configuring a
peer node:
There are a number of splunk list commands that return different types of
cluster information. For example, to get detailed information on each peer in the
cluster, run this command on the master:
You can also use the CLI to perform a number of different actions on the cluster.
Those actions are described in their own topics:
180
Get help on the CLI commands
The CLI provides online help for its commands. For general help on the full set of
clustering commands, go to $SPLUNKHOME/bin and type:
splunk help
181
Configure the master
• You can edit the configuration from the master node dashboard in Splunk
Web. See "Configure the master with the dashboard".
• You can directly edit the [clustering] stanza in the master's server.conf
file. To configure some advanced settings, you must edit this file. See
"Configure the master with server.conf".
• You can use the CLI. See "Configure the master with the CLI".
After you change the master configuration, you must restart the master for the
changes to take effect.
Important: The master has the sole function of managing the other cluster
nodes. Do not use it to index external data or to search the cluster.
182
Configure a stand-by master
To prepare for master node failure, configure a stand-by master that can take
over if the current master goes down. See "Replace the master node on the
indexer cluster".
183
◊ Cluster Label. Label the cluster. The label is useful for
identifying the cluster in the monitoring console. See Set
cluster labels in Securing Splunk Enterprise.
For information on using this dashboard to enable a master node initially, see
Enable the indexer cluster master node.
For information on using this dashboard to view cluster status, see View the
master dashboard.
Before reading this topic, see Configure the indexer cluster with server.conf. It
discusses configuration issues that are common to all cluster node types.
The following example shows the basic settings that you configure when
enabling a master node. Unless otherwise noted, the settings are required. The
configuration attributes correspond to fields on the Enable clustering page of
Splunk Web.
[clustering]
mode = master
184
replication_factor = 4
search_factor = 3
pass4SymmKey = whatever
cluster_label = cluster1
This example specifies that:
Important: When the master starts up for the first time, it will block indexing on
the peers until you enable and restart the full replication factor number of peers.
Do not restart the master while it is waiting for the peers to join the cluster. If you
do, you will need to restart the peers a second time.
Note: When you enable the master node in Splunk Web, the resulting
server.conf stanza includes attributes only for non-default values. For example,
if you accept the default replication factor of 3 and do not enter a new value for it,
the resulting stanza does not include the replication_factor attribute.
You can change these settings later, if necessary. For example, to change the
cluster's security key, you edit the pass4SymmKey value on each node.
For details on all cluster attributes, including some advanced ones that rarely
require editing, read the server.conf specification.
• "Configure and manage the indexer cluster with the CLI". This topic
explains the basics of indexer cluster configuration with the CLI. It
185
provides details on issues that are common to all cluster node types.
The following example shows the basic settings that you typically configure when
enabling a master node. The configuration attributes correspond to fields on the
Enable clustering page of Splunk Web.
splunk restart
Important: When the master starts up for the first time, it will block indexing on
the peers until you enable and restart the full replication factor number of peers.
Do not restart the master while it is waiting for the peers to join the cluster. If you
do, you will need to restart the peers a second time.
You can also use the CLI to edit the configuration later. Use the splunk edit
cluster-config command, the same command used to enable the master
initially.
Refer to the CLI clustering help, along with the server.conf specification file, for
the list of configurable settings.
Although it is possible to change the settings for the replication factor and search
factor, it is inadvisable to increase either of them after your cluster contains
significant amounts of data. Doing so will kick off a great deal of bucket activity,
which will have an adverse effect on the cluster's performance while bucket
copies are being created or made searchable.
186
Although there is currently no master failover capability, you can prepare the
indexer cluster for master failure by configuring a stand-by master that you can
immediately bring up if the primary master goes down. You can use the same
method to replace the master intentionally.
This is a preparatory step. You must do this before the master fails or
otherwise leaves the system.
2. Ensure that the peer and search head nodes can find the new master.
3. Replace the master.
In the case of a multisite cluster, you must also prepare for the possible failure of
the site that houses the master. See Handle master site failure.
There are two static configurations that you must backup so that you can later
copy them to the replacement master:
• The master's server.conf file, which is where the master cluster settings
are stored. You must back up this file whenever you change the master's
cluster configuration.
In addition to the above configuration files, make sure to back up any other
configuration files that you have customized on cluster master, such as
inputs.conf, web.conf, and so on.
In preparing a replacement master, you must copy over only the master's static
state. You do not copy or otherwise deal with the dynamic state of the cluster.
The cluster peers as a group hold all information about the dynamic state of a
cluster, such as the status of all bucket copies. They communicate this
information to the master node as necessary, for example, when a downed
master returns to the cluster or when a stand-by master replaces a downed
master. The master then uses that information to rebuild its map of the cluster's
dynamic state.
187
Ensure that the peer and search head nodes can find the new
master
You can choose between two approaches for ensuring that the peer nodes and
search head can locate the replacement instance and recognize it as the master:
Prerequisite
You must have up-to-date backups of the two sets of static configuration files, as
described in Back up the files that the replacement master needs.
Steps
If you want to skip steps 3 and 5, you can replace the [general] and
[clustering] stanzas on the replacement master in step 4, instead of copying
the entire server.conf file.
188
In release 6.5, the sslKeysfilePassword attribute was deprecated and
replaced by the sslPassword attribute. If the server.conf file is using
sslKeysfilePassword, then copy that setting instead.
4. Copy the backup of the old master's server.conf and
$SPLUNK_HOME/etc/master-apps files to the replacement master.
5. Delete the sslPassword setting in the copied server.conf, and replace it
with the version of the setting that you saved in step 3.
6. Start the replacement master.
7. Make sure that the peer and search head nodes are pointing to the new
master through one of the methods described in Ensure that the peer and
search head nodes can find the new master.
189
Configure the peers
• Configuration of the basic indexer cluster settings, such as the master URI
and the replication port.
• Configuration of input, indexing, and related settings. This includes the
deployment of apps to the peer nodes.
Initial configuration
1. When you enable the peer, you specify its cluster settings, such as its master
node and the port on which it receives replicated data. See Enable the peer
nodes.
2. After you enable the set of peers, you configure their indexes, if necessary.
See Configure the peer indexes in an indexer cluster.
3. Finally, you configure their inputs, usually by means of forwarders. See Use
forwarders to get data into the indexer cluster.
These are the key steps in configuring a peer. You might also need to update the
configurations later, as with any indexer.
There are two main reasons to change the cluster node configuration:
• Redirect the peer to another master. This can be useful in the case
where the master fails but you have a stand-by master ready to take over.
For information on stand-by masters, see Replace the master node on the
indexer cluster.
• Change the peer's security key for the cluster. Only change the key if
you are also changing it for all other nodes in the cluster. The key must be
the same across all instances in a cluster.
190
To edit the cluster configuration, change each peer node individually, using one
of these methods:
• Edit the configuration from the peer node dashboard in Splunk Web. See
Configure peer nodes with the dashboard.
• Edit the peer's server.conf file. See Configure peer nodes with
server.conf for details.
• Use the CLI. See Configure peer nodes with the CLI for details.
For additions and differences when configuring multisite peer nodes, see
Configure multisite indexer clusters with server.conf.
The set of index stanzas in indexes.conf must be identical across all peers,
aside from very limited exceptions described in Manage configurations on a
peer-by-peer basis. It is also important that index-time processing be the same
across the peers. For the cluster to properly replicate data and handle node
failover, peers must share the same indexing functionality, and they cannot do
this if certain key files vary from peer to peer.
As a best practice, you should treat your peers as interchangeable, and therefore
you should maintain identical versions of configuration files and apps across all
peers. At the least, the following files should be identical:
• indexes.conf
• props.conf
• transforms.conf
To ensure that the peers share a common set of configuration files and apps,
place the files and apps on the master and then use the configuration bundle
method to distribute them, in a single operation, to the set of peers.
These topics describe how to maintain identical configurations across the set of
peers:
191
Manage single-peer configurations
3. Select the Edit button on the upper right side of the dashboard.
The Edit button provides a number of options that affect the configuration.
For information on using this dashboard to enable a peer node initially, see
Enable the peer nodes.
For information on using this dashboard to view cluster status, see View the peer
dashboard.
To change the configuration for this peer node, select the Configuration option:
192
Remove the peer from a cluster
To remove the peer from the cluster, select the Disable Indexer Clustering
option.
Other edits
It is extremely unlikely that you will want to change the node type for nodes in an
active cluster. Consider the consequences carefully before doing so.
Before reading this topic, see Configure the indexer cluster with server.conf. It
discusses configuration issues that are common to all cluster node types.
The following example shows the basic settings that you must configure when
enabling a peer node. The configuration attributes shown in these examples
correspond to fields on the Enable clustering page of Splunk Web.
[replication_port://9887]
[clustering]
master_uri = https://10.152.31.202:8089
mode = slave
pass4SymmKey = whatever
This example specifies that:
• the peer will use port 9887 to listen for replicated data streamed from the
other peers. You can specify any available, unused port as the replication
port. Do not re-use the management or receiving ports.
• the peer's cluster master resides at 10.152.31.202:8089.
• the instance is a cluster peer ("slave") node.
• the security key is "whatever".
193
Edit the peer settings
You can change these settings later, if necessary. For example, to change the
cluster's security key, you change the pass4SymmKey value on each node.
• Configure and manage the indexer cluster with the CLI. This topic explains
the basics of cluster configuration with the CLI. It provides details on
issues that are common to all indexer cluster node types.
The following example shows the basic settings that you typically configure when
enabling a peer node. The configuration attributes correspond to fields on the
Enable clustering page of Splunk Web.
To enable an instance as a peer node, set mode to "slave". You also need to
specify master_uri and replication_port. In addition, you must specify the
cluster-wide security key (secret):
splunk restart
Edit the peer settings
You can also use the CLI to edit the configuration later. Use the splunk edit
cluster-config command, the same command that you use to enable the peer
initially.
Refer to the CLI clustering help, along with the server.conf specification file, for
the list of configurable settings.
194
Manage common configurations across all peers
You should attempt to maintain a common set of configuration files, including
apps, across all peers in an indexer cluster. This enhances high availability by
making the peers essentially interchangeable. In addition, certain configurations
must be identical so that all the peers index the data in the same way.
The master node distributes files and apps to all peers as a single action, through
the configuration bundle method. You must use this method to manage
common configurations. See Update common peer configurations and apps.
It is highly recommended that you distribute the same versions of these files
across all peers:
• indexes.conf. It is critical that all peers share the same set of clustered
indexes.
• props.conf and transforms.conf. All peers must use the same set of
rules when indexing data.
Beyond these three key files, you can greatly simplify cluster management by
maintaining identical versions of other configuration files across all peers. For
example, if your peers are able to share a single set of inputs, you can maintain a
single inputs.conf file across all peers.
Because apps often contain versions of those configuration files, you should
ordinarily distribute the same set of apps to all peers, rather than installing them
individually on single peers. See Manage app deployment across all peers.
195
Distribute configuration files to all peers
1. If distributing any indexes.conf files, configure them so that they support index
replication. See Configure the peer indexes in an indexer cluster.
3. Use Splunk Web or the CLI to distribute the configuration bundle to the peer
nodes.
For details on these steps, see Update common peer configurations and apps.
The configuration bundle method is the only supported method for managing
common configurations and app deployment across the set of peers. It ensures
that all peers use the same versions of these files.
Note these critical differences in how you manage peer configuration files
compared to configurations for standalone indexers:
• Do not use deployment server or any third party deployment tool, such as
Puppet or CFEngine, to manage common configuration files across peer
nodes. Instead, use the configuration bundle method.
When you distribute updates through the configuration bundle, the master
orchestrates the distribution to ensure that all peers use the same set of
configurations, including the same set of clustered indexes.
If, despite all recommendations, you choose to use another distribution method
196
instead of the configuration bundle method, you must make sure, at a minimum,
that settings for any new clustered indexes are successfully distributed to all
peers, and that all the peers have been reloaded, before you start sending data
to the new indexes.
Note: Although you cannot use deployment server to directly distribute apps to
the peers, you can use it to distribute apps to the master node's configuration
bundle location. Once the apps are in that location, the master node can then
distribute them to the peer nodes via the configuration bundle method. See Use
deployment server to distribute the apps to the master.
You must use the master node to deploy apps to the peer nodes. Do not use
deployment server or any third party deployment tool, such as Puppet or
CFEngine.
1. Inspect the app for indexes.conf files. For each index defined in an
app-specific indexes.conf file, set repFactor=auto, so that the index gets
replicated across all peers. See The indexes.conf repFactor attribute.
2. Place the app in the $SPLUNK_HOME/etc/master-apps directory on the
master. The set of subdirectories in this location constitute the
configuration bundle.
3. Use Splunk Web or the CLI to distribute the configuration bundle to the
peer nodes.
For detailed information on each of these steps, see Update common peer
configurations and apps.
Once an app has been distributed to the set of peers, you launch it on each peer
in the usual manner, with Splunk Web. See the chapter Meet Splunk apps in the
Admin Manual.
197
When it comes time to access an app, you do so from the search head, not from
an individual peer. Therefore, you must also install the app on the search head.
On the search head, put the app in the conventional location for apps, that is,
under the $SPLUNK_HOME/etc/apps directory. Install the app in the usual
fashion, according to the app-specific instructions.
To delete an app that you previously distributed to the peers, remove its directory
from the configuration bundle. When you next push the bundle, the app will be
deleted from each peer.
The cluster peers deploy with a peer-specific default indexes.conf file that
handles basic cluster needs. If you want to add indexes or change bucket
behavior, you edit a new indexes.conf file in a special location on the master
and then distribute the file simultaneously to all the peers.
Important: You cannot use Splunk Web or the CLI to configure index settings on
peer nodes. You must edit indexes.conf directly.
The set of indexes.conf files should ordinarily be identical across all peers in a
cluster. In particular, all peers must use the same set of clustered indexes. This
is essential for index replication to work properly. (The master node, on the other
hand, has its own, separate indexes.conf file, because it indexes only its own
internal data.) There is a limited exception to this stricture, which is described a
bit later.
When you first create the cluster, the master distributes a special default
indexes.conf file to each of the peers. This version supplements the standard
default indexes.conf that all indexers get. The peer-specific default
indexes.conf turns on replication for the main index, as well as the internal
198
indexes, such as _audit and _internal.
Depending on your system, you might also need to edit and distribute a modified
indexes.conf to the peers, to accommodate additional indexes or changes to
bucket attributes. To ensure that all peers use the same indexes.conf, you must
use the master node to distribute the file to all the peers as a single process.This
process, known as the configuration bundle method, is described in Update
common peer configurations and apps.
You must also use the configuration bundle method to distribute apps across all
the peers. These apps might contain their own indexes.conf files, which will
layer appropriately with any non-app version of the file that you might also
distribute to the peers. For information on app distribution, read Manage app
deployment across all peers.
There are two steps to configuring indexes across the set of peers:
2. Use the master to distribute the file across the set of peers.
1. Edit indexes.conf
For details on configuring indexes.conf, read the topics in the chapters Manage
indexes and Manage index storage in this manual. For a list of all indexes.conf
attributes, see the indexes.conf specification file in the Admin Manual.
For the most part, you edit the cluster peer indexes.conf in the same way as for
any indexer. However, there are a few differences to be aware of.
199
The indexes.conf repFactor attribute
When you add a new index stanza, you must set the repFactor attribute to
"auto". This causes the index's data to be replicated to other peers in the cluster.
For example:
[<newindex>]
repFactor=auto
homePath=<path for hot and warm buckets>
coldPath=<path for cold buckets>
thawedPath=<path for thawed buckets>
...
Note: By default, repFactor is set to 0, whichmeans that the index will not be
replicated. For clustered indexes, you must set it to "auto".
Resetting repFactor from "auto" to 0 will stop further replication, but it will not
automatically remove copies of already replicated buckets. In addition, searches
across buckets with multiple copies will return duplicate events. To free up
associated disk space and eliminate the possibility of duplicate events, you must
remove the excess copies manually.
For example, if you have a Windows master and a set of Linux peers, the normal
way to specify the homePath on the Windows master, where the file gets edited,
would be to use the Windows backward-slash convention as a directory
separator, while the Linux peers, where the file gets distributed, require forward
slashes.
To deal with this possibility, the best practice is to always use forward slashes
when specifying directory paths in in the index path attributes, no matter which
operating systems your master and peers use. For example:
homePath = $SPLUNK_HOME/var/lib/splunk/defaultdb/db/
Splunk Enterprise always accepts the forward slash as a directory separator.
200
2. Distribute the new indexes.conf file to the peers
After you edit indexes.conf, you need to distribute it to the cluster's set of peer
nodes. To learn how to distribute configuration files, including indexes.conf,
across all the peers, read Update common peer configurations and apps.
For information about other types of peer configuration, including app distribution,
read Peer node configuration overview.
To see the set of indexes on your peer nodes, click the Indexes tab on the
master dashboard. See View the master dashboard.
Note: A new index appears under the tab only after it contains some data. In
other words, if you configure a new index on the peer nodes, a row for that index
appears only after you send data to that index.
The set of configuration files and apps common to all peers, which is managed
from the master and distributed to the peers in a single operation, is called the
configuration bundle. The process used to distribute the configuration bundle is
known as the configuration bundle method.
To distribute new or edited configuration files or apps across all the peers, you
add the files to the configuration bundle on the master and tell the master to
distribute the files to the peers.
201
Structure of the configuration bundle
The configuration bundle consists of the set of files and apps common to all peer
nodes.
On the master
$SPLUNK_HOME/etc/master-apps/
_cluster/
default/
local/
<app-name>/
<app-name>/
...
Note the following:
202
$SPLUNK_HOME/etc/master-apps/appBestEver.
• To delete an app that you previously distributed to the peers, remove its
directory from the configuration bundle. When you next push the bundle,
the app will be deleted from each peer.
• The master only pushes the contents of subdirectories under master-apps.
It will not push any standalone files directly under master-apps. For
example, it will not push the standalone file /master-apps/file1.
Therefore, be sure to place any standalone configuration files in the
/_cluster/local subdirectory.
You explicitly tell the master when you want it to distribute the latest configuration
bundle to the peers. In addition, when a peer registers with the master (for
example, when the peer joins the cluster), the master distributes the current
configuration bundle to it.
When the master distributes the bundle to the peers, it distributes the entire
bundle, overwriting the entire contents of any configuration bundle previously
distributed to the peers.
The master-apps location is only for peer node files. The master does not use the
files in that directory for its own configuration needs.
On the peers
$SPLUNK_HOME/etc/slave-apps/
_cluster/
default/
local/
<app-name>/
<app-name>/
...
Leave the downloaded files in this location and do not edit them. If you later
distribute an updated version of a configuration file or app to the peers, it will
overwrite any earlier version in $SPLUNK_HOME/etc/slave-apps. You want this to
occur, because all peers in the cluster must be using the same versions of the
files in that directory.
203
For the same reason, do not add any files or subdirectories directly to
$SPLUNK_HOME/etc/slave-apps. The directory gets overwritten each time the
master redistributes the configuration bundle.
Therefore, if you distribute a setting through the configuration bundle method that
the peer needs to update automatically in some way, the peer will do so by
creating a new version of the app under $SPLUNK_HOME/etc/apps. Since you
cannot have two apps with the same name, this generates "unexpected duplicate
app" errors in splunkd.log.
[SSL]
password = <your_password>
If the setting is in an app directory called "newapp" in the configuration bundle,
upon restart the peer will create a "newapp" directory under
$SPLUNK_HOME/etc/apps and put the setting there. This results in duplicate
"newapp" apps.
204
Best practice for distributing app.conf in the configuration
bundle
1. For each app that you want to distribute, determine if app.conf contains a
new reload.<conf_file_name> = simple parameter.
2. Remove any configuration files referenced in reload.<conf_file_name> =
simple from the configuration bundle.
3. Push the modified configuration bundle containing app.conf to the set of
peers. See Apply the bundle to the peers.
4. Return the referenced configuration file to the appropriate app directory in
the configuration bundle.
5. Make any changes to the configuration file that you want to distribute to
peer nodes.
6. Push the configuration bundle to the peers.
To distribute new or changed files and apps across all peers, follow these steps:
205
1. Prepare the files and apps for the configuration bundle
Make the necessary edits to the files you want to distribute to the peers. It is
advisable that you then test the files, along with any apps, on a standalone test
indexer to confirm that they are working correctly, before distributing them to the
set of peers. Try to combine all updates in a single bundle, to reduce the impact
on the work of the peer nodes.
For more information on how to configure the files, see Manage common
configurations across all peers and Configure the peer indexes in an indexer
cluster.
2. Move the files and apps into the configuration bundle on the master
node
When you are ready to distribute the files and apps, copy them to
$SPLUNK_HOME/etc/master-apps/ on the master:
You can validate the bundle and check whether applying the bundle will require a
restart of the peer nodes, without applying the bundle. Once you confirm that the
bundle is valid across all peer nodes, you can then apply it as a separate step.
Validation is useful for ensuring that the bundle will apply across all peer nodes
without problems. The validation process also provides information that is useful
for debugging invalid bundles.
The ability to check restart is useful for admins who want to defer bundle
distribution until a period of low activity or a maintenance window, and avoid
possible restart-related indexing or search interruption. See Restart or reload
206
after configuration bundle changes?
You can validate the bundle and check restart using Splunk Web or the CLI.
Use the Validate and Check Restart button to validate the bundle and check if
peer nodes will require a restart. This button performs the same function as the
CLI command: splunk validate cluster-bundle --check-restart. See Use the
CLI to validate the bundle and check restart.
1. On the master node, in Splunk Web, click Settings > Indexer Clustering.
The Master Node dashboard opens.
2. Click Edit > Configuration Bundle Actions.
3. Click Validate and Check Restart > Validate and Check Restart.
A message appears that indicates bundle validation and check restart
success or failure.
If bundle validation and check restart succeeds, then the bundle is
acceptable for distribution to the peer nodes. Information about the
validated bundle appears in the UI, including whether a restart of peer
nodes is required. The UI also displays bundle checksums, which you can
use to identify and track the active bundle, the previous bundle, and the
latest check restart bundle.
You can distribute the bundle from the master to the peer nodes using
either Splunk Web or the CLI. See 4. Apply the bundle.
If validation and check restart fails, then the bundle is not acceptable for
distribution to the peers. In this case, review the bundle details for
information that might help you troubleshoot the issue. Make sure that the
configuration bundle structure is correct for distribution to peer nodes. See
Structure of the configuration bundle.
207
Use the CLI to validate the bundle and check restart
To validate the bundle and check whether a restart is necessary, include the
--check-restart parameter:
master
cluster_status=None
active_bundle
checksum=576F6BBB187EA6BC99CE0615B1DC151F
timestamp=1495569737 (in localtime=Tue May 23 13:02:17
2017)
latest_bundle
checksum=576F6BBB187EA6BC99CE0615B1DC151F
timestamp=1495569737 (in localtime=Tue May 23 13:02:17
2017)
last_validated_bundle
checksum=1E0C4F0A7363611774E1E65C8B3932CF
last_validation_succeeded=1
timestamp=1495574646 (in localtime=Tue May 23 14:24:06
2017)
last_check_restart_bundle
checksum=1E0C4F0A7363611774E1E65C8B3932CF
208
last_check_restart_result=restart required
timestamp=1495574646 (in localtime=Tue May 23 14:24:06
2017)
If you validate the bundle without applying it, the contents of the
$SPLUNK_HOME/etc/master-apps directory on the master will differ from the
contents of the $SPLUNK_HOME/etc/slave-apps directory on the peer nodes until
you do apply the bundle. This has no effect on the operation of the cluster, but it
is important to be aware that the difference exists.
To apply the configuration bundle to the peers, you can use Splunk Web or the
CLI.
209
1. On the master, in Splunk Web, click Settings > Indexer clustering.
The Master Node dashboard appears.
2. Click Edit > Configuration Bundle Actions.
The configuration bundle actions dashboard opens, showing information
on the last successful bundle push.
3. Click Push.
A pop-up window warns you that the distribution might, under certain
circumstances, initiate a restart of all peer nodes. For information on which
configuration changes cause a peer restart, see Restart or reload after
configuration bundle changes?.
4. Click Push Changes.
The screen provides information on the distribution progress. Once the
distribution completes or aborts, the screen indicates the result.
♦ In the case of a successful distribution, after each peer successfully
validates the bundle, the master coordinates a rolling restart of all
the peer nodes, if necessary.
♦ In the case of an aborted distribution, it indicates which peers could
not receive the distribution. Each peer must successfully receive
and apply the distribution. If any peer is unsuccessful, none of the
peers will apply the bundle.
When the push is successful, the peers use the new set of configurations,
now located in their local $SPLUNK_HOME/etc/slave-apps.
For more information on the distribution process, see the following section on
applying the bundle through the CLI.
1. To apply the configuration bundle to the peers, run this CLI command on
the master:
210
It responds with this warning message:
The download and validation process usually takes just a few seconds to
complete. If any peer is unable to validate the bundle, it sends a message
to the master, and the master displays the error on its dashboard in
Splunk Web. The process will not continue to the next phase - reloading or
restarting the peers - unless all peers successfully validate the bundle.
If validation is not successful, you must fix any problems noted by the
master and rerun splunk apply cluster-bundle.
Once validation is complete, the master tells the peers to reload or, if
necessary, it initiates a rolling restart of all the peers. For details on how
rolling restart works, see Use rolling restart. To set searchable rolling
restart as the default mode for rolling restarts triggered by a bundle push,
see Use searchable rolling restart with configuration bundle push.
When the process is complete, the peers use the new set of
configurations, located in their local $SPLUNK_HOME/etc/slave-apps.
Once an app has been distributed to the set of peers, you launch and manage it
on each peer in the usual manner, with Splunk Web. See Managing app
211
configurations and properties in the Admin Manual.
You can also validate the bundle without applying it. This is useful for debugging
some validation issues. See 3. (Optional) Validate the bundle.
To see how the cluster bundle push is proceeding, run this command from the
master:
Some changes to files in the configuration bundle require that the peers restart.
In other cases, the peers can reload, avoiding any interruption to indexing or
searching. The bundle reload phase on the peers determines whether a restart is
required and directs the master to initiate a rolling restart of the peers only if
necessary.
212
• You make any of the indexes.conf changes described in Determine which
indexes.conf changes require restart.
• You delete an existing app from the configuration bundle.
For more information, see When to restart Splunk Enterprise after a configuration
file change in the Admin Manual.
Searchable rolling restart lets you perform a rolling restart of peer nodes with
minimal interruption of in-progress searches. You can set searchable rolling
restart in server.conf as the default mode for all rolling restarts triggered by a
configuration bundle push. For instructions, see Set searchable rolling restart as
default mode for bundle push.
You can rollback the configuration bundle to the previous version. This action
allows you to recover from a misconfigured bundle.
The rollback action toggles the most recently applied configuration bundle on the
peers with the previously applied bundle. You cannot rollback beyond the
previous bundle.
For example, say that the peers have an active configuration bundle "A" and you
apply a configuration bundle "B", which then becomes the new active bundle. If
you discover problems with B, you can rollback to bundle A, and the peers will
then use A as their active bundle. If you rollback a second time, the peers will
return again to bundle B . If you rollback a third time, the bundles will return again
to A, and so on. The rollback action always toggles the two most recent bundles.
You can rollback the configuration bundle using Splunk Web or the CLI.
213
If no previous configuration bundles exists, the Rollback button will be
disabled.
To rollback the configuration bundle, run this command from the master node:
On Windows, the rollback operation fails if there are open file handles to
$SPLUNK_HOME/etc/master-apps and its contents.
After you initially configure a Splunk instance as a peer node, you must restart it
manually in order for it to join the cluster, as described in Enable the peer nodes.
During this restart, the peer connects with the master, downloads the current
configuration bundle, validates the bundle locally, and then restarts again. The
peer only joins the cluster if bundle validation succeeds. This same process also
214
occurs when an offline peer comes back online.
If validation fails, the user must fix the errors and run splunk apply
cluster-bundle from the master.
Although you cannot use deployment server to directly distribute apps to the
peers, you can use it to distribute apps to the master node's configuration bundle
location. Once the apps are in that location, the master can distribute them to the
peer nodes, using the configuration bundle method described in this topic.
In addition to the deployment server, you can also use third party distributed
configuration management software, such as Puppet or Chef, to distribute apps
to the master.
To use the deployment server to distribute files to the configuration bundle on the
master:
[deployment-client]
serverRepositoryLocationPolicy = rejectAlways
repositoryLocation = $SPLUNK_HOME/etc/master-apps
3. On the deployment server, create and populate one or more deployment
apps for download to the master's configuration bundle. Make sure that
the apps follow the structural requirements for the configuration bundle, as
outlined earlier in this topic. For information on creating deployment apps,
see Create deployment apps in Updating Splunk Enterprise Instances .
4. Create one or more server classes that map the master to the deployment
apps. For information on creating server classes, see Create server
classes in Updating Splunk Enterprise Instances.
5. Each server class must include the stateOnClient = noop setting:
[serverClass:<serverClassName>]
stateOnClient = noop
Do not override this setting at the app stanza level.
6. Download the apps to the master node. Once the master receives the new
or updated deployment apps in the configuration bundle, you can
distribute the bundle to the peers, using the method described in the
current topic.
215
Take steps to ensure that the master does not restart automatically after
receiving the deployment apps. Specifically, when defining deployment
app behavior, do not change the value of the restartSplunkd setting from
its default of false in serverclass.conf. If you are using forwarder
management to define your server classes, make sure that the "Restart
splunkd" field on the Edit App screen is not checked.
For detailed information on the deployment server and how to perform necessary
operations, read the Updating Splunk Enterprise Instances manual.
Forwarders are the recommended way to handle data inputs to peers. For
information on configuring this process, read Use forwarders to get your data into
the indexer cluster.
If you want to input data directly to a peer, without a forwarder, you can configure
your inputs on the peer in the same way as for any indexer. For more
information, read Configure your inputs in the Getting Data In manual.
216
get.
If you create a version of indexes.conf for a single peer, you can put it in any of
the acceptable locations for an indexer, as discussed in About configuration files
and Configuration file directories in the Admin Manual. The one place where you
cannot put the file is under $SPLUNK_HOME/etc/slave-apps, which is where the
configuration bundle resides on the peer. If you put it there, it will get overwritten
the next time the peer downloads a configuration bundle.
Important: If you add a local index, leave its repFactor attribute set to the
default value of 0. Do not set it to auto. If you do set it to auto, the peer will
attempt to replicate the index's data to other peers in the cluster. Since the other
peers will not be configured for the new index, there will be nowhere on those
peers to store the replicated data, resulting in various, potentially serious,
problems. In addition, when the master next attempts to push a configuration
bundle to the peers, the peer with the incorrectly configured index will return a
bundle validation error to the master, preventing the master from successfully
applying the bundle to the set of peers.
As with any indexer, you sometimes need to restart a peer after you change its
configuration. Unlike non-clustered indexers, however, do not use the CLI splunk
restart command to restart the peer. Instead, use the restart capability in Splunk
Web. For detailed information on how to restart a cluster peer, read Restart a
single peer.
For information on configuration changes that require a restart, see Restart after
modifying server.conf? and Restart or reload after configuration bundle
changes?.
217
Configure the search head
You configure and enable the search head at the same time that you enable the
other cluster nodes, as described in "Enable the search head". The cluster's set
of peer nodes become search peers of the search head. For basic functionality,
you do not need to set any other configurations.
There are two main reasons for editing the basic search head configuration for a
particular cluster:
218
• Redirect the search head to another master for the same cluster. This
can be useful in the case where a master fails but you have a stand-by
master for that cluster which you can redirect the search head to. For
information on stand-by masters, see "Replace the master node on the
indexer cluster".
• Change the search head's security key for the cluster. Only change
the key if you are also changing it for all other nodes in the cluster. The
key must be the same across all instances in a cluster.
To edit the search head's cluster node configuration, use one of these methods:
• Edit the configuration from the search head node dashboard in Splunk
Web. See "Configure the search head with the dashboard".
• Edit the search head's server.conf file. See "Configure the search head
with server.conf".
• Use the CLI. See "Configure the search head with the CLI".
For additions and differences when configuring multisite search heads, see
"Implement search affinity in a multisite indexer cluster" and "Configure multisite
indexer clusters with server.conf".
Most settings and capabilities are the same for search heads running on an
indexer cluster and those running against non-clustered indexers.
219
The main difference is that, for indexer clusters, search heads and search peers
are automatically connected to each other as part of the cluster enablement
process. You do not perform any configuration in distsearch.conf to enable
automatic discovery.
A few attributes in distsearch.conf are not valid for search heads in indexer
clusters. A search head in an indexer cluster ignores these attributes:
servers
disabled_servers
heartbeatMcastAddr
heartbeatPort
heartbeatFrequency
ttl
checkTimedOutServersFrequency
autoAddServers
As when running against non-clustered indexers, search head access to search
peers is controlled through public key authentication. However, you do not need
to distribute the keys manually. The search head in an indexer cluster
automatically pushes its public key to the search peers.
Most distsearch.conf settings are valid only for search heads. However, to
implement mounted bundles, you need to distribute a small distsearch.conf file
to the search peers. For indexer clusters, you should use the master node to
distribute this file to the peers. For information on how to use the master to
manage peer configurations, read "Update common peer configurations and
apps" in this manual. For information on how to configure mounted bundles, read
the "Mount the knowledge bundle" chapter in the Distributed Search manual.
Do not use the Distributed Search page on Splunk Web to configure a search
head in an indexer cluster or to add peers to the cluster. You can, however, use
that page to view the list of search peers.
Combined searches
To search across multiple indexer clusters, see "Search across multiple indexer
clusters".
220
To search across both clustered and non-clustered search peers, see see
"Search across both clustered and non-clustered search peers".
The dashboard includes a number of menu items and actions that affect the
configuration.
For information on using this dashboard to enable a search head initially, see
Enable the search head.
For information on using this dashboard to view indexer cluster status, see View
the search head dashboard.
To change the search head's configuration for a particular indexer cluster, select
the Edit Configuration action on the cluster's row:
To connect the search head to another cluster, see Search across multiple
indexer clusters.
To remove the search head from an indexer cluster, select the Remove Cluster
action on the row for that cluster. This disassociates the search head from that
cluster, but leaves it connected to all other clusters, if any.
221
To remove the search head from all clusters, select Disable Clustering from the
Edit menu on the upper right corner of the dashboard.
Other edits
If you need to change this instance to some other node type, like a peer node,
you can do so through the Edit button on the upper right side of the dashboard.
It is extremely unlikely that you will want to change the node type for nodes in an
active cluster. Consider the consequences carefully before doing so.
Before reading this topic, see Configure the indexer cluster with server.conf. It
discusses configuration issues that are common to all cluster node types.
The following example shows the basic settings that you must configure when
enabling a search head node. The configuration attributes shown here
correspond to fields on the Enable clustering page of Splunk Web.
[clustering]
master_uri = https://10.152.31.202:8089
mode = searchhead
pass4SymmKey = whatever
This example specifies that:
You can change these settings later, if necessary. For example, to change the
cluster's security key, you change the pass4SymmKey value on each node.
222
You can also configure the search head to search across multiple indexer
clusters or across clustered and non-clustered search peers. See:
• "Configure and manage the indexer cluster with the CLI". This topic
explains the basics of indexer cluster configuration with the CLI. It
provides details on issues that are common to all cluster node types.
The following example shows the basic settings that you typically configure when
enabling a search head. The configuration attributes correspond to fields on the
Enable clustering page of Splunk Web.
splunk restart
Edit the search head settings
You can also use the CLI to edit the configuration later.
Important: When you first enable a search head, you use the splunk edit
cluster-config command. To change the search head configuration, you must
instead use the splunk edit cluster-master command.
For example, to change the security key (secret), use this command:
223
newsecret123
Important: The splunk edit cluster-master command always takes the current
master URI:port value as its initial parameter. For example, this command
connects the search head to a different master by setting a new value for the
-master_uri parameter, but it provides the value for the old master as its initial
parameter:
1. Configure the search head for one of the clusters in the usual way, as
described in "Enable the search head".
2. Point the search head at the master for the new cluster. You can do this with
Splunk Web, through the CLI, or by editing the search head's server.conf file.
In Splunk Web
In Splunk Web, configure multi-cluster search from the search head dashboard:
1. Select the Add cluster to be searched button on the uppper right corner of
the dashboard.
• Master URI. Enter the master's URI, including its management port. For
example: https://10.152.31.202:8089.
• Security Key. This is the key that authenticates communication between
a cluster's master, peers, and search heads. The key must be the same
across all nodes in a cluster. Enter the security key for the new cluster
224
here. The key might be different for each of the search head's clusters.
To remove the search head from a cluster, see "Remove the search head from a
cluster".
In the CLI, you can configure multi-cluster search with these commands:
For example, to add the search head to a cluster whose master is located at
https://10.160.31.200:8089, run this command:
By editing server.conf
You can configure multi-cluster search in the search head's server.conf file by
specifying a comma-separated list of master node references in the master_uri
attribute, followed by individual stanzas for each master. For example:
[clustering]
mode = searchhead
master_uri = clustermaster:east, clustermaster:west
[clustermaster:east]
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret
[clustermaster:west]
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret
In this example, the search head will use the pass4SymmKey "someSecret" when
communicating with SplunkMaster01 and pass4SymmKey "anotherSecret" when
communicating with SplunkMaster02.
225
After you edit server.conf, you must restart the search head for the changes to
take effect.
In the CLI, you configure multi-cluster search with the splunk add
cluster-master command. When adding a multisite cluster, include the search
head's site value:
By editing server.conf
To configure multi-cluster search for a multisite cluster, you need to set two
multisite-specific attributes: site and multisite. The locations of these attributes
vary, depending on a few factors.
If the search head will be searching across only multisite clusters, and the
search head is on the same site in each cluster, put the site attribute under
the [general] stanza and the multisite attribute under each [clustermaster]
stanza:
[general]
site=site1
[clustering]
mode = searchhead
master_uri = clustermaster:multieast, clustermaster:multiwest
[clustermaster:multieast]
multisite=true
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret
226
[clustermaster:multiwest]
multisite=true
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret
If the search head will be searching across only multisite clusters, and the
search head is on a different site in each cluster, put both the site and the
multisite attributes under the [clustermaster] stanzas:
[clustering]
mode = searchhead
master_uri = clustermaster:multieast, clustermaster:multiwest
[clustermaster:multieast]
multisite=true
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret
site=site1
[clustermaster:multiwest]
multisite=true
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret
site=site2
If the search head will be searching across a combination of single-site and
multisite clusters, put both the site and the multisite attributes under the
[clustermaster] stanza for any multisite clusters. In this example, the search
head searches across two clusters, only one of which is multisite:
[clustering]
mode = searchhead
master_uri = clustermaster:multi, clustermaster:single
[clustermaster:multi]
multisite=true
master_uri=https://SplunkMaster01.example.com:8089
pass4SymmKey=someSecret
site=site1
[clustermaster:single]
master_uri=https://SplunkMaster02.example.com:8089
pass4SymmKey=anotherSecret
After you edit server.conf, you must restart the search head for the changes to
take effect.
227
Search across both clustered and non-clustered
search peers
You can search across both clustered and non-clustered search peers:
2. Use Splunk Web or the CLI to add one or more non-clustered search peers, as
described in "Add search peers to the search head" in Distributed Search.
• The procedure assumes that you are starting with a new Splunk
Enterprise instance that you want to enable as a search head for both an
indexer cluster and one or more non-clustered indexers. If the instance is
already functioning as a search head in one of those two roles, you only
need to enable it for the other role. For example, if the search head is
already part of an indexer cluster, then you only perform step 2.
• You must specify the non-clustered search peers through either Splunk
Web or the CLI. Due to authentication issues, you cannot specify the
search peers by directly editing distsearch.conf. When you add a search
peer with Splunk Web or the CLI, the search head prompts you for public
key credentials. It has no way of obtaining those credentials when you add
a search peer by directly editing distsearch.conf. For more information
on public keys and distributed search, read "Add search peers to the
search head" in Distributed Search.
228
Deploy and configure a multisite indexer
cluster
Important: This chapter assumes that you are deploying independent search
heads in the multisite indexer cluster. For information on how to incorporate
search heads that are members of a search head cluster, see "Integrate the
search head cluster with an indexer cluster" in the Distributed Search manual.
To deploy a multisite cluster, you configure the set of nodes for each site:
• A single master resides on one of the sites and controls the entire multisite
cluster.
• A set of peer nodes resides on each site.
• A search head resides on each site that searches cluster data. If you want
all searches to be local, you must install a search head on each site. This
is known as search affinity.
For example, to set up a two-site cluster with three peers and one search head
on each site, you install and configure these instances:
229
Note: The master itself is not actually a member of any site, aside from its
physical location. However, each master has a built-in search head, and that
search head requires that you set a site attribute in the master's configuration.
You must specify a site for the master, even if you never use its built-in search
head. Note that the search head is for testing only. Do not use it for production
purposes.
To deploy and configure multisite cluster nodes, you must directly edit
server.conf or use the CLI. You cannot use Splunk Web.
When you deploy a multisite cluster, you configure the same settings as for
single-site, along with some additional settings to specify the set of sites and the
location of replicated and searchable copies across the sites.
To configure a multisite master node with the CLI, see "Configure multisite
indexer clusters with the CLI"
230
Use indexer discovery with a multisite cluster
If you are using indexer discovery to connect forwarders to the peer nodes, you
must assign a site to each forwarder. See "Use indexer discovery in a multisite
cluster."
For example, say you have two data centers in California, one in San Francisco
and the other in Los Angeles. You set up a two-site cluster, with each site
corresponding to a data center. Search affinity allows you to reduce
long-distance network traffic. Search heads at the San Francisco data center get
results only from the peers in San Francisco, while search heads in Los Angeles
get results only from their local peers.
For those sites that you want to support search affinity, you must configure
multisite clustering so that the site has a full set of searchable data and a local
search head. The search head on any particular site then gets data only from its
local site, as long as that site is valid.
When search affinity is functioning, each search head sends its searches to all
peers, across all sites, but only the local peers search their data and return
results to the search head.
If a local peer holding some of the searchable data goes down and the site
temporarily loses its valid state, the search head will, if necessary, get data from
peers on remote sites while the local site is undergoing bucket fixing. During this
time, the search head will still get as much of the data as possible from the local
site.
Once the site regains its valid state, new searches again occur across only the
local site.
231
For more details on how the cluster handles search affinity, see "Multisite indexer
cluster architecture" and "Search locally in a multisite cluster".
With multisite clusters, search affinity is enabled by default. However, you must
perform a few steps to take advantage of it. Specifically, you must ensure that
both the searchable data and the search heads are available locally.
1. Configure the site search factor so that you have at least one searchable copy
on each site where you require search affinity.
One way to do this is to explicitly specify a search factor for each site that
requires search affinity. For example, a four-site cluster with site_search_factor
= origin:1, site1:1, site2:1, total:3 ensures that both site1 and site2 have
searchable copies of every bucket. The third set of searchable copies will be
spread across the two non-explicit sites, with no guarantee that either site will
have a full set of searchable copies. Thus, search affinity is enabled for only site1
and site2. Site1 and site2 will each hold primary copies of all buckets.
There are also ways to configure the site search factor to ensure that all sites
have searchable copies, even without explicitly specifying some or all of them.
For example, a three-site cluster with site_search_factor = origin:1, total:3
guarantees one searchable copy per site, and thus enables search affinity for
each site. Each site will have primary copies of all buckets.
For more information on how replication and search factors distribute copies
across sites, see "Configure the site replication factor" and "Configure the site
search factor".
2. Deploy a search head on each site where you require search affinity.
You can disable search affinity for any search head. When search affinity is
disabled, the search head does not attempt to obtain search results from a single
site only. Rather, it can obtain results from multiple sites. This can be useful, for
example, if you have two data centers in close proximity with low latency, and
you want to improve overall performance by spreading the processing across
indexers on both sites.
232
What happens when search affinity is disabled
When search affinity is disabled on a search head, search results can come from
indexers on any or all sites. If the site search factor stipulates searchable bucket
copies on multiple sites, the search head uses undefined criteria to choose which
of the searchable copies to search. It is likely to choose some bucket copies from
one site and other bucket copies from other sites, so the results will come from
multiple sites.
Search heads always select from primary bucket copies. For example, say you
have a two site cluster with this search factor:
A search head with search affinity enabled limits its searches to the primary
copies on its own site, when possible.
In contrast, a search head with search affinity disabled distributes its search
across primary copies on both sites. For a given bucket, you cannot know
whether it will select the primary on site1 or the primary on site2. It does tend to
use the same primaries from one search to the next.
To disable search affinity for a search head, set the search head's site value to
"site0" in server.conf:
[general]
site = site0
[clustering]
multisite = true
...
By setting site=site0, you cause searches to behave like they would on a
single-site cluster, with no preference for any particular site.
For more information on configuring multisite search heads, see "Configure the
233
search heads."
• "Configure the indexer cluster with server.conf". This topic explains the
basics of cluster configuration. It focuses on single-site clusters, but most
of the information is relevant to multisite clusters as well.
You configure multisite indexer clusters in a similar way to how you configure
clusters for a single site, with the exception of a few new attributes:
• The site attribute specifies the site that a node resides on.
234
Important: Although the site_replication_factor effectively replaces the
single-site replication_factor, and the site_search_factor replaces single-site
search_factor, those single-site attributes continue to exist in the master's
configuration, with their default values of 3 and 2, respectively. This can cause
problems on start-up if any site has fewer peer nodes than either of those values;
that is, if any site has only one or two peer nodes. The symptom will be a
message that the multisite cluster does not meet its replication or search factor.
For example, if one of your sites has only two peers, the default single-site
replication factor of 3 will cause the error to occur. To avoid or fix this problem,
you must set the single-site replication and search factors to values that are less
than or equal to the smallest number of peers on any site. In the case where one
site has only two peers, you must therefore explicitly set the replication_factor
attribute to a value of 2. See "Multisite cluster does not meet its replication or
search factors."
If you are migrating a cluster from single-site to multisite, you must keep the
existing replication_factor and search_factor attributes for the existing
single-site buckets, while also adding the new multisite site_replication_factor
and site_search_factor attributes for the new multisite buckets. See "Migrate an
indexer cluster from single-site to multisite".
To configure a multisite cluster, you configure the nodes for each site, editing
each node's server.conf file. For details on the clustering attributes, read the
server.conf specification.
Site values
Site values identify the site on which a node resides. You assign a site value to
each node in a multisite cluster. To do this, you set the site attribute in the
node's [general] stanza.
site<n>
where <n> is an integer in the range of 0 to 63: site1, site2, site3, ....
For example:
235
site=site1
The special value "site0" can be set only on search heads or on forwarders that
are participating in indexer discovery:
• For a search head, "site0" disables search affinity for the search
head.?See Disable search affinity.
• For a forwarder participating in indexer discovery, "site0" causes the
forwarder to send data to all peer nodes across all sites. See Use indexer
discovery in a multisite cluster.
You configure the key attributes for the entire cluster on the master node. Here is
an example of a multisite configuration for a master node:
[general]
site = site1
[clustering]
mode = master
multisite = true
available_sites = site1,site2
site_replication_factor = origin:2,total:3
site_search_factor = origin:1,total:2
pass4SymmKey = whatever
cluster_label = cluster1
This example specifies that:
236
• You specify the site attribute in the [general] stanza. You specify all
other multisite attributes in the [clustering] stanza.
• You can locate the master on any site in the cluster, but each cluster has
only one master.
• You must set multisite=true.
• You must list all cluster sites in the available_sites attribute.
• You must set a site_replication_factor and a site_search_factor. For
details, see Configure the site replication factor and Configure the site
search factor.
• The pass4SymmKey attribute, which sets the security key, must be the same
across all cluster nodes. See Configure the indexer cluster with
server.conf for details.
• The cluster label is optional. It is useful for identifying the cluster in the
monitoring console. See Set cluster labels in Monitoring Splunk
Enterprise.
Important: When the master starts up for the first time, it blocks indexing on the
peers until you enable and restart the full replication factor number of peers. For
example, given a three-site cluster with "site_replication_factor = origin:2, site1:1,
site2:2, site3:3, total:8", the master blocks indexing until there are at least eight
peers in total across all sites, including at least one in site1, two in site2, and
three in site3.
Do not restart the master while it is waiting for the peers to join the cluster. If you
do, you will need to restart the peers a second time.
To configure a peer node in a multisite cluster, you set a site attribute in the
[general] stanza. All other configuration settings are identical to a peer in a
single-site cluster.
[general]
site = site1
[replication_port://9887]
[clustering]
master_uri = https://10.152.31.202:8089
mode = slave
pass4SymmKey = whatever
This example specifies that:
237
• the instance is located in site1. A peer can belong to only a single site.
• the peer will use port 9887 to listen for replicated data streamed from the
other peers. You can specify any available, unused port as the replication
port. Do not re-use the management or receiving ports.
• the peer's cluster master is located at 10.152.31.202:8089.
• the instance is a cluster peer ("slave") node.
• the security key is "whatever".
Multisite search heads can provide search affinity. For information, see
"Implement search affinity in a multisite indexer cluster".
To configure a search head in a multisite cluster, you set a site attribute in the
[general] stanza and a multisite attribute in the [clustering] stanza. All other
configuration settings are identical to a search head in a single-site cluster. Here
is an example configuration for a multisite search head node:
[general]
site = site1
[clustering]
multisite = true
master_uri = https://10.152.31.202:8089
mode = searchhead
pass4SymmKey = whatever
This example specifies that:
• the instance is located in site1. A search head can belong to only a single
site per master.
• the search head is a member of a multisite cluster.
• the search head's cluster master is located at 10.152.31.202:8089.
• the instance is a cluster search head.
• the security key is "whatever".
Note: You can also use server.conf to enable multi-cluster search, in which the
search head searches across multiple clusters, multisite or single-site. For
searching across multiple multisite clusters, you can configure the search head to
be a member of a different site on each cluster. For details, see "Configure
multi-cluster search for multisite clusters".
238
with the CLI", rather than editing server.conf directly. If you use the CLI, you do
not need to restart the search head.
After configuring instances as multisite cluster nodes, you need to restart all of
them (master, peers, and search head) for the changes to take effect. You can
do this by invoking the CLI restart command on each node:
$SPLUNK_HOME/bin/splunk restart
Important: When the master starts up for the first time, it blocks indexing on the
peers until you enable and restart the full replication factor number of peers. For
example, given a three-site cluster with "site_replication_factor = origin:2, site1:1,
site2:2, site3:3, total:8", the master blocks indexing until there are at least eight
peers in total across all sites, including at least one in site1, two in site2, and
three in site3.
Do not restart the master while it is waiting for the peers to join the cluster. If you
do, you will need to restart the peers a second time.
On the master
You must restart the master after you change any of the following attributes:
• multisite
• available_sites
• site_replication_factor
• site_search_factor
After you restart the master, you must also initiate a rolling-restart of the cluster
peers. If you don't, the cluster will be in an indeterminate state. For information
on the splunk rolling-restart command, see "Use rolling restart".
You do not need to restart if you change the site value on a master.
On the peers
If you change the site value on a peer, you must restart it for the change to take
effect.
239
Important: Although you can use the CLI restart command when you initially
enable an instance as a cluster peer node, you should not use it for subsequent
restarts. The restart command is not compatible with index replication once
replication has begun. For more information, including a discussion of safe
restart methods, see "Restart a single peer".
You do not need to restart if you change the site value on a search head.
• "Configure the indexer cluster with the CLI". This topic explains the basics
of using the CLI to configure a cluster. It focuses on single-site clusters,
but most of its information is relevant to multisite clusters as well.
You configure instances as multisite cluster nodes with the splunk edit
cluster-config command. After enabling an instance, you must restart it.
Site values
Site values identify the site on which a node resides. You assign a site value to
each node in a multisite cluster.
site<n>
240
where <n> is an integer in the range of 1 to 63: site1, site2, site3, ....
Note: In the case of a search head only, you can also set the site value to
"site0". This setting disables search affinity for the search head.
splunk restart
This example specifies that:
You might also need to adjust the single-site replication and search factors. See
"How multisite configuration differs from single-site configuration."
Important: When the master starts up for the first time, it blocks indexing on the
peers until you enable and restart the full replication factor number of peers. For
example, given a three-site cluster with "site_replication_factor = origin:2, site1:1,
site2:2, site3:3, total:8", the master blocks indexing until there are at least eight
peers in total across all sites, including at least one in site1, two in site2, and
three in site3.
241
Do not restart the master while it is waiting for the peers to join the cluster. If you
do, you will need to restart the peers a second time.
Note: You do not need to restart the master if you later change its site value.
To configure a peer node in a multisite cluster, you set a site attribute. All other
configuration settings are identical to a peer in a single-site cluster.
splunk restart
This example specifies that:
Note: You do not need to restart the peer if you later change its site value.
To configure a search head for a multisite cluster, set the site parameter. All
other settings are the same as for a search head in a single-site cluster.
You use different commands to configure a search head initially and to change
its configuration later.
242
splunk restart
This example specifies that:
To disable search affinity for a search head, so that it gets its data randomly from
all sites in the cluster, set the site attribute to "site0".
Note: When you specify the site parameter, the command automatically sets
multisite=true in the search head's server.conf file. You do not need to
explicitly pass a multisite parameter.
Use the splunk edit cluster-master command, not the splunk edit
cluster-config command.
For example, assume that you initially configured a single-site search head using
the splunk edit cluster-config command:
splunk restart
To later reconfigure the search head for a multisite cluster, use the splunk edit
cluster-master command:
Note: You do not need to restart the search head if you later change its site
value.
243
Configure the site replication factor
Read this first
Before attempting to configure the site replication factor, you must be familiar
with:
• The basic, single-site replication factor. See "The basics of indexer cluster
architecture" and "Replication factor".
• Multisite cluster configurations. See "Configure multisite indexer clusters
with server.conf".
The site replication factor provides site-level control over the location of bucket
copies, in addition to providing control over the total number of copies across the
entire cluster. For example, you can specify that a two-site cluster maintain a
total of three copies of all buckets, with one site maintaining two copies and the
second site maintaining one copy.
You can also specify a replication policy based on which site originates the
bucket. That is, you can configure the replication factor so that a site receiving
external data maintains a greater number of copies of buckets for that data than
for data that it does not originate. For example, you can specify that each site
maintains two copies of all data that it originates but only one copy of data
originating on another site.
Syntax
[clustering]
mode = master
multisite=true
available_sites=site1,site2
244
site_replication_factor = origin:2,total:3
site_search_factor = origin:1,total:2
You can also use the CLI to configure the site replication factor. See "Configure
multisite indexer clusters with the CLI".
• Here is how the cluster determines the minimum number of copies a site
gets:
245
♦ When a site is functioning as origin, the minimum number of copies
the site gets is the greater of either its site value, if any, or origin.
♦ When a site is not functioning as origin, the site value, if any,
determines the minimum number of copies the site gets.
♦ A non-explicit site is not guaranteed any copies except when it is
functioning as the origin site.
♦ If all sites are explicit, then the total must be at least the minimum
value necessary to fulfill the dictates of the site and origin values.
246
For example, with a three-site cluster and "site_replication_factor =
origin:1, site1:1, site2:1, site3:1", the total must be at least 3,
because that configuration never requires more than three copies.
For a three-site cluster and "site_replication_factor = origin:2,
site1:1, site2:1, site3:1", the total must be at least 4, because one
of the sites will always be the origin and thus require two copies,
while the other sites will each require only one. For a three-site
cluster and "site_replication_factor = origin:3, site1:1, site2:2",
site3:3", the total must be at least 8, to cover the case where site1
is the origin.
• Because the total value can be greater than the total set of explicit
values, the cluster needs a strategy to handle any "remainder" bucket
copies. Here is the strategy:
♦ If copies remain to be assigned after all site and origin values have
been satisfied, those remainder copies are distributed across all
sites, with preference given to sites with less or no copies, so that
the distribution is as even as possible. Assuming that there are
enough remainder copies available, each site will have at least one
copy of the bucket.
247
This entire process depends on the availability of a sufficient
number of peers on each site. If a site does not have enough peers
available to accept additional copies, the copies go to sites with
available peers. In any case, at least one copy will be distributed or
reserved for each site, assuming enough copies are available.
• Each site must deploy a set of peers at least as large as the greater of the
origin value or its site value.
248
For example, given a three-site cluster with "site_replication_factor =
origin:2, site1:1, site2:2, site3:3, total:8", the sites must have at least the
following number of peers: site1: 2 peers; site2: 2 peers; site3: 3 peers.
• The total number of peers deployed across all sites must be greater than
or equal to the total value.
• If you are migrating from a single-site cluster, the total value must be at
least as large as the replication_factor for the single-site cluster. See
"Migrate an indexer cluster from single-site to multisite".
Examples
249
• A cluster of three sites (site1, site2, site3), with
"site_replication_factor = origin:2, site1:1, site2:2, total:5": Site1
stores two copies of any bucket it originates, one or two copies of any
bucket site2 originates, and one copy of any bucket that site3 originates.
Site2 stores two copies of any bucket, whether or not it originates it. Site3,
whose site value is not explicitly defined, stores two copies of any bucket it
originates, one copy of any bucket site1 originates, and one or two copies
of any bucket site2 originates. (When site2 originates a bucket, one copy
remains after initial assignments. The master assigns this randomly to
site1 or site3.)
Before attempting to configure the site search factor, you must be familiar with:
250
What is a site search factor?
The site search factor provides site-level control over the location of searchable
bucket copies, in addition to providing control over the total number of searchable
copies across the entire cluster. For example, you can specify that a two-site
cluster maintain a total of three searchable copies of all buckets, with one site
maintaining two copies and the second site maintaining one copy.
You can also specify a search policy based on which site originates the bucket.
That is, you can configure the search factor so that a site receiving external data
maintains a greater number of searchable copies of buckets for that data than for
data that it does not originate. For example, you can specify that each site
maintains two searchable copies of all data that it originates but only one copy of
data originating on another site.
The site search factor helps determine whether the cluster has search affinity.
See "Implement search affinity in a multisite indexer cluster".
Syntax
You configure the site search factor with the site_search_factor attribute in the
master's server.conf file. The attribute resides in the [clustering] stanza, in
place of the single-site search_factor attribute. For example:
[clustering]
mode = master
multisite=true
available_sites=site1,site2
site_replication_factor = origin:2,total:3
site_search_factor = origin:1,total:2
You can also use the CLI to configure the site search factor. See "Configure
multisite indexer clusters with the CLI".
251
Warning: You must configure the site_search_factor attribute correctly.
Otherwise, the master will not start.
• To determine the minimum required value for total, use the same rules
252
as for determining the minimum total value for the
site_replication_factor. See "Configure the site replication factor".
• Because the total value can be greater than the total set of explicit
values, the cluster needs a strategy to handle any "remainder" searchable
bucket copies. The strategy follows the strategy for remainder replicated
copies, described in "Configure the site replication factor".
• All values must be less than or equal to their corresponding values in the
site_replication_factor.
• If you are migrating from a single-site cluster, the total value must be at
least as large as the search_factor for the single-site cluster. See
"Migrate an indexer cluster from single-site to multisite".
Examples
For examples of site search factor syntax, refer to the examples in "Configure the
site replication factor". The syntax for specifying origin/site/total values in
site_search_factor is identical to site_replication_factor.
253
Handle the persistence of the single-site search_factor
After migration, all buckets created before migration continue to adhere to their
single-site replication and search factor policies, by default. You can alter this
behavior so that pre-migration buckets adhere instead to the multisite policies, by
changing the constrain_singlesite_buckets setting on the master's
server.conf to "false".
In the default scenario, after the migration, the cluster holds both single-site and
multisite buckets. It maintains them separately, following these rules:
254
Convert existing buckets to multisite
If you configure the master node to convert existing buckets to multisite, all
buckets will adhere to the settings for site_replication_factor and
site_search_factor, once the migration process is finished.
If you change the master node configuration before migration, existing buckets
will follow the site_replication_factor and site_search_factor policies
immediately, post-migration.
You can also change the master node configuration later, post-migration. Any
pre-migration buckets that have been following the single-site policies will then
follow the multisite policies.
To change the default behavior, so that existing single-site buckets adhere to the
multisite replication and search factor policies, change the
constrain_singlesite_buckets setting on the master's server.conf to "false":
[clustering]
mode = master
constrain_singlesite_buckets = false
You must restart the master node for the change to take effect.
Depending on when you want the associated, and potentially lengthy, bucket
fixup to occur, you can make this configuration change either before migrating
the cluster to muiltsite, or at some convenient time post-migration.
Prerequisites
• The master node must be running Splunk Enterprise version 7.2 or later.
• All nodes in the post-migration cluster must adhere to the version
compatibility rules described in Splunk Enterprise version compatibility.
Therefore, before migrating to multisite, you might need to upgrade your
single-site cluster. Follow the appropriate procedure in Upgrade an
255
indexer cluster.
• If you want existing buckets to adhere to the multisite replication and
search policies post-migration, you must change a configuration on the
master node. See Configure the master to convert existing buckets to
multisite. Alternatively, you can perform this step at any time
post-migration.
Steps
1. Configure the master node for multisite and restart it, following the instructions
in Configure multisite indexer clusters with the CLI. For example:
splunk restart
Note the following:
• Do not remove the existing single-site attributes for replication factor and
search factor, replication_factor and search_factor. The master needs
them to handle the migrated buckets.
256
To confirm that the master has entered maintenance mode, run splunk show
maintenance-mode.
3. Configure the existing peer nodes for multisite. For each peer, specify its
master node and site. For example:
Do this for each peer, specifying the site for that peer.
4. If you want to add new peers to the cluster, follow the instructions in Configure
multisite indexer clusters with the CLI. For example:
splunk restart
Do this for each new peer that you want to add to the cluster.
5. Configure the search heads for multisite. For each search head, specify its
master node and site. For example:
Note: The configuration is essentially the same if the search heads are members
of a search head cluster. See Integrate with a multisite indexer cluster in
Distributed Search.
6. If you want to add new search heads to the cluster, follow the instructions in
Configure multisite indexer clusters with the CLI. For example:
splunk restart
Do this for each new search head that you want to add to the cluster.
257
splunk disable maintenance-mode
To confirm that the master has left maintenance mode, run splunk show
maintenance-mode.
You can view the master dashboard to verify that all cluster nodes are up and
running.
During the migration, the cluster tags each single-site bucket with a site value.
Note: You can also configure a multisite cluster by directly editing server.conf.
See Configure multisite indexer clusters with server.conf
8. If you are using indexer discovery to connect forwarders to the peer nodes,
you must assign a site to each forwarder. See Use indexer discovery in a
multisite cluster.
If you configured the master to convert existing single-site buckets to the multisite
replication and search factor policies, bucket fixup will likely continue for some
time after the cluster migration process itself completes. If you have a large
number of existing buckets, the bucket fixup can continue for a long time.
Buckets in multisite clusters include a property that identifies the origin site.
Buckets in single-site clusters do not include that property. So, when a cluster
migrates from single-site to multisite, it must tag each single-site bucket with an
origin site value. Since the bucket name includes the GUID of the originating
peer, the cluster always knows the originating peer. With that information, it infers
an origin site for the bucket:
• If the originating peer still exists in the cluster, the cluster assumes that the
bucket originated on the site that the originating peer has been assigned
to. It sets the bucket's origin to that site.
• If the originating peer is no longer in the cluster, the cluster assumes that
the site with the most copies of the bucket is the origin site. It sets the
bucket's origin to that site.
Here is how the cluster uses the inferred origin site to maintain the single-site
bucket going forward, to handle any necessary fix-up so that the bucket
continues to meet the single-site replication and search factors:
258
• If the cluster needs to replicate additional copies of the bucket to fulfill the
replication factor, it only replicates within the bucket's inferred origin site.
• If the cluster needs to make a non-searchable copy of the bucket
searchable to fulfill the search factor, it might do so on a non-origin site, if
a non-searchable copy of that bucket already exists on some other site.
The cluster will never create a new copy of the bucket on a non-origin site.
The cluster uses the described methodology to infer an origin site for each
bucket.
While fixup is continuing, the master dashboard indicates that the replication
factor and search factors are not met. Once the fixup process is finished, the
cluster returns to a complete state, as indicated by the master dashboard.
If you configure the master node for multisite clustering, but the new site is not
yet fully operational, the master blocks indexing while it waits for enough peers to
become available to fulfill the multisite replication factor. To unblock indexing,
you can run the splunk set indexing-ready command on the master. See
Restart indexing in multisite cluster after master restart or site failure.
259
View indexer cluster status
You can only view this dashboard on an instance that has been enabled as a
master.
• Cluster overview
• Peers tab
• Indexes tab
• Search Heads tab
Cluster overview
The cluster overview summarizes the health of your cluster. It tells you:
• whether the cluster's data is fully searchable; that is, whether all buckets in
the cluster have a primary copy.
• whether the search and replication factors have been met.
• how many peers are searchable.
• how many indexes are searchable.
260
Depending on the health of your cluster, it might also provide warning messages
such as:
For details on the information presented in the cluster overview, browse the tabs
underneath.
On the upper right side of the dashboard, there are three buttons:
• Edit. For information on this button, see Configure the master with the
dashboard..
• More Info. This button provides details on the master node configuration:
♦ Name. The master's serverName, as specified in the master's
$SPLUNK_HOME/etc/system/local/server.conf file.
♦ Replication Factor. The cluster's replication factor.
♦ Search Factor. The cluster's search factor.
♦ Generation ID. The cluster's current generation ID.
• Documentation.
Peers tab
261
♦ ManualDetention. A peer goes into this state through manual
intervention. While in this state, a peer does not consume or index
external data or serve as a replication target. It continues to
participate in searches. See Put a peer in detention.
♦ ManualDetention-PortsEnabled. A peer goes into this state through
manual intervention. While in this state, a peer continues to
consume and index external data, but it does not serve as a
replication target. It continues to participate in searches. See Put a
peer in detention.
♦ Restarting. When you run the splunk offline command without
the enforce-counts flag, the peer enters this state temporarily after
it leaves the ReassigningPrimaries state. It remains in this state for
the restart_timeout period (60 seconds by default). If you do not
restart the peer within this time, it then moves to the Down state. The
peer also enters this state during rolling restarts or if restarted via
Splunk Web.
♦ ShuttingDown. The master detects that the peer is shutting down.
♦ ReassigningPrimaries. A peer enters this state temporarily when
you run the splunk offline command without the enforce-counts
flag.
♦ Decommissioning. When you run the splunk offline command
with the enforce-counts flag, the peer enters this state and remains
there until all bucket fixing is complete and the peer can shut down.
♦ GracefulShutdown. When you run the splunk offline command
with the enforce-counts flag, the peer enters this state when it
finally shuts down at the end of a successful decommissioning. It
remains in this state for as long as it is offline.
♦ Stopped. The peer enters this state when you stop it with the
splunk stop command.
♦ Down. The peer enters this state when it goes offline for any reason
other than those resulting in a status of GracefulShutdown or
Stopped: either you ran the version of the splunk offline
command without the enforce-counts flag and the peer shut down
for longer than the restart_timeout period (60 seconds by default),
or the peer went offline for some other reason (for instance, it
crashed).
• Buckets. The number of buckets for which the peer has copies.
To get more information for any peer, click on the arrow to the left of the peer
name. These fields appear:
262
• Last Heartbeat. The time of the last heartbeat the master received from
the peer.
• Replication port. The port on which the peer receives replicated data
from other peers.
• Base generation ID. The peer's base generation ID, which is equivalent
to the cluster's generation ID at the moment that the peer last joined the
cluster. This ID will be less or equal to the cluster's current generation ID.
So, if a peer joined the cluster at generation 1 and has stayed in the
cluster ever since, its base generation ID remains 1, even though the
cluster might have incremented its current generation ID to, say, 5.
• GUID. The peer's GUID.
Note: After a peer goes down, it continues to appear on the list of peers,
although its status changes to "Down" or "GracefulShutdown." To remove the
peer from the master's list, see Remove a peer from the master's list.
Indexes tab
• Index Name. The name of the index. Internal indexes are preceded by an
underscore (_).
• Fully searchable. Is the index fully searchable? In other words, does it
have at least one searchable copy of each bucket? If even one bucket in
the index does not have a searchable copy, this field will report the index
as non-searchable.
• Searchable Data Copies. The number of complete searchable copies of
the index that the cluster has.
• Replicated Data Copies. The number of copies of the index that the
cluster has. Each copy must be complete, with no buckets missing.
• Buckets. The number of buckets in the index. This number does not
include replicated bucket copies.
• Cumulative Raw Data Size. The size of the index's raw data, excluding
hot buckets. This number does not included replicated copies of the raw
data.
The list of indexes include the internal indexes, _audit and _internal. As you
would expect in a cluster, these internal indexes contain the combined data
generated by all peers in the cluster. If you need to search for the data generated
by a single peer, you can search on the peer's host name.
This tab also reveals a button with the label, Bucket Status. If you click on it, you
go to the Bucket Status dashboard. See View the bucket status dashboard..
263
Note: A new index appears here only after it contains some data. In other words,
if you configure a new index on the peer nodes, a row for that index appears only
after you send data to that index.
For each search head accessing this cluster, the master dashboard lists:
Note: The list includes the master node as one of the search heads. Although
the master has search head capabilities, you should only use those capabilities
for debugging purposes. The resources of the master must be dedicated to
fulfilling its critical role of coordinating cluster activities. Under no circumstances
should the master be employed as a production search head. Also, unlike a
dedicated search head, the search head on the master cannot be configured for
multi-cluster search; it can only search its own cluster.
To get more information for any search head, click on the arrow to the left of the
search head name. These fields appear:
The Bucket Status dashboard provides status for the buckets in the cluster. It
contains three tabs:
264
Fixup Tasks - In Progress
This tab provides a list of buckets that are currently being fixed. For example, if a
bucket has too few copies, fixup activities must occur to return the cluster to a
valid and complete state. While those activities are occurring, the bucket
appears on this list.
This tab provides a list of buckets that are waiting to be fixed. You can filter the
fixup tasks by search factor, replication factor, and generation.
For more information on bucket fixup activities, see What happens when a peer
goes down.
This tab also includes an Action button that allows you to fix issues with
individual buckets. For details, see Handle issues with individual buckets.
This tab provides a list of indexes with excess bucket copies. It enumerates both
buckets with excess copies and buckets with excess searchable copies. It also
enumerates the total excess copies in each category. For example, if your index
"new" has one bucket with three excess copies, one of which is searchable, and
a second bucket with one excess copy, which is non-searchable, the row for
"new" will report:
If you want to remove the excess copies for a single index, click the Remove
button on the right side of the row for that index.
If you want to remove the excess copies for all indexes, click the Remove All
Excess Buckets button.
For more information on excess bucket copies, see Remove excess bucket
copies from the indexer cluster.
265
Use the monitoring console to view status
You can use the monitoring console to monitor most aspects of your deployment,
including the status of your indexer cluster. The information available through the
console duplicates much of the information available on the master dashboard.
For more information, see Use the monitoring console to view indexer cluster
status.
For a single view with information on all the peers in a cluster, use the master
node dashboard instead, as described in "View the master dashboard".
You can only view this dashboard on an instance that has been enabled as a
peer.
266
cluster ever since, its base generation ID remains 1, even though the
cluster might have incremented its current generation ID to, say, 5.
The Edit button at the top right of the peer dashboard offers several options for
changing the configuration of the peer. See "Configure peer nodes with the
dashboard."
You can only view this dashboard on an instance that has been enabled as a
cluster search head.
The dashboard lists the master nodes for all clusters the search head belongs to,
along with some information on the status of each cluster.
For more information on the master node and its cluster, click the arrow at the far
left of each row.
You can get information on the search head itself by selecting the More Info
button on the upper right corner of the dashboard:
267
Configure the search head
The dashboard offers several options for acting on the search head or otherwise
changing its configuration. See "Configure the search head with the dashboard."
You can also view information on the search head's search peers (identical, in
clustering, to the set of cluster peer nodes) from the search head's Distributed
Search page in Splunk Web:
1. On the search head, click Settings in the upper right corner of Splunk Web.
Caution: Do not use the Distributed Search page in Splunk Web to change your
search head configuration or to add peers. For information on how to configure
an indexer cluster search head correctly, see "Search head configuration
overview".
There are two indexer clustering dashboards under the Indexing menu:
268
The Indexer Clustering: Service Activity dashboard provides information on
matters such as bucket-fixing activities and warnings and errors.
View the dashboards themselves for more information. In addition, see "Indexer
Clustering: Status" and "Indexer Clustering: Service Activity" in the Distributed
Management Console Manual.
269
Manage the indexer cluster
Caution: Do not use splunk stop to take a peer offline. Instead, use splunk
offline. It stops the peer in a way that minimizes disruption to your searches.
• A valid cluster has primary copies of all its buckets and therefore is able
to handle search requests across the entire set of data. In the case of a
multisite cluster, a valid cluster also has primary copies for every site with
search affinity.
• A complete cluster has replication factor number of copies of all its
buckets, with search factor number of searchable copies. It therefore
meets the designated requirements for failure tolerance. A complete
cluster is also a valid cluster.
The splunk offline command has two versions, one that takes the peer offline
temporarily and another that takes it offline permanently.
When a peer goes offline temporarily, the master kicks off processes to return it
to a valid state, but it does not ordinarily attempt to return it to a complete state,
because the cluster regains its complete state as soon as the peer comes back
online.
270
When you take a peer offline permanently
When you take an indexer cluster peer offline permanently, you want to ensure
that the cluster continues to process data and handle searches without
interruption. You also want the cluster to replace any copies of buckets that are
lost by the peer going offline. For example, if the offline peer was maintaining
copies of 10 buckets (three searchable and seven non-searchable), the cluster
must recreate those copies on other peers in the cluster, to fulfill its replication
factor and search factor.
When a peer goes offline permanently, the master kicks off various bucket-fixing
processes, so that the cluster returns to a valid and complete state.
The splunk offline command handles both types of peer shutdown: temporary
and permanent. It takes the peer down gracefully, attempting to allow in-progress
searches to complete, while also returning the cluster quickly to the valid state. In
this way, it tries to eliminate disruption to existing or future searches.
There are two versions of the splunk offline command that correspond to the
typical use cases:
The fast version of the splunk offline command has the simple syntax: splunk
offline.
The cluster attempts to regain its valid state before the peer goes down. It does
not attempt to regain its complete state. You can use this version to bring the
peer down briefly without kicking off any bucket-fixing activities.
271
You can also use this version in cases where you want the peer to go down
permanently but quickly, with the bucket-fixing occurring after it goes down.
The peer goes down after the cluster attempts, within certain constraints, to meet
two conditions:
• Reallocation of primary copies on the peer, so that the cluster regains its
valid state
• Completion of any searches that the peer is currently participating in
The peer goes down after its primary bucket copies have been reallocated to
searchable copies on other peers, so that the cluster regains its valid state. The
maximum time period allotted for the primary allocation activity is determined by
the value of the decommission_node_force_timeout setting in the peer node's
server.conf file, which is five minutes by default.
You can also change the primary allocation timeout period for just a single
execution of the splunk offline command. See Syntax for the fast offline
command.
Note: If the cluster has a search factor of 1, the cluster does not attempt to
reallocate primary copies before allowing the peer to go down. With a search
factor of 1, the cluster cannot fix the primaries without first creating new
searchable copies, which takes significant time and thus would defeat the goal of
a fast shutdown.
The peer also waits for any ongoing searches to complete, up to a maximum
time period, as determined by the decommission_search_jobs_wait_secs
attribute in server.conf. The default for this attribute is three minutes.
Once these conditions have been met, or the maximum durations for the
activities have been exceeded, the peer goes down.
Here is the syntax for the fast version of the splunk offline command:
splunk offline
You run this command directly on the peer.
272
When you run this command, the peer shuts down after the cluster returns to a
valid state and the peer completes any ongoing searches, as described in The
fast offline process.
To change the time period allocated for the cluster to return to the valid state, run
this form of the command:
After the peer shuts down, you have 60 seconds (by default) to complete any
maintenance work and bring the peer back online. If the peer does not return to
the cluster within this time, the master initiates bucket-fixing activities to return
the cluster to a complete state. If you need more time, you can extend the time
that the master waits for the peer to come back online by configuring the
restart_timeout attribute, as described in Extend the restart period.
For detailed information on the processes that occur when a peer goes offline,
read What happens when a peer node goes down.
If you need to perform maintenance on a peer and you expect the time required
to exceed the master's restart_timeout period (set to 60 seconds by default),
you can change the value of that setting. Run this CLI command on the master:
273
splunk edit cluster-config -restart_timeout 900
You can run this command on the fly. You do not need to restart the master after
it runs.
The enforce-counts version of the offline command is intended for use when you
want to take a peer offline permanently, but only after the cluster has returned to
its complete state.
In this version of the command, the cluster performs the necessary bucket-fixing
activities to regain its valid and complete state before allowing the peer to go
down.
The peer goes down after the cluster meets two conditions:
• Completion of all bucket-fixing activities that are necessary for the cluster
to regain its complete state
• Completion of ongoing searches that the peer is participating in,
constrained by a time limit
The peer goes down only after its searchable and non-searchable bucket copies
have been reallocated to other peers, causing the cluster to regain its complete
state.
Because this version of splunk offline requires that the cluster return to a
complete state before the peer can go down, certain preconditions are necessary
before you can run this command:
274
The peer also waits for any ongoing searches to complete, up to a maximum
time, as determined by the decommission_search_jobs_wait_secs attribute in
server.conf. The default for this attribute is three minutes.
Here is the syntax for the enforce-counts version of the splunk offline
command:
The actual time required to return to the complete state depends on the amount
and type of data the peer was maintaining. See Estimate the cluster recovery
time when a peer gets decommissioned for details.
If the cluster is unable to return to the complete state, the peer will not shut down.
This is due to issues described in The enforce-counts offline process. If you need
to take a peer offline despite such issues, run the fast version of the splunk
offline command instead.
For detailed information on the processes that occur when a peer gets
decommissioned, read What happens when a peer node goes down.
After a peer goes down, it continues to appear on the list of peers on the master
dashboard, although its status changes to "GracefulShutdown." To remove the
peer from the master's list, see Remove a peer from the master's list.
When you decommission a peer, the master coordinates activities among the
remaining peers to fix the buckets and return the cluster to a complete state. For
example, if the peer going offline is storing copies of 10 buckets and five of those
copies are searchable, the master instructs peers to:
275
• Stream copies of those 10 buckets to other peers, so that the cluster
regains a full complement of bucket copies (to match the replication
factor).
• Make five non-searchable bucket copies searchable, so that the cluster
regains a full complement of searchable bucket copies (to match the
search factor).
This activity can take some time to complete. Exactly how long depends on many
factors, such as:
Despite these variable factors, you can make a rough determination of how long
the process will take. Assuming you are using Splunk Enterprise reference
hardware, here are some basic estimates of how long the two main activities
take:
• To stream 10GB (rawdata and/or index files) from one peer to another
across a LAN takes about 5-10 minutes.
• The time required to rebuild the index files on a non-searchable bucket
copy containing 4GB of rawdata depends on a number of factors such as
the size of the resulting index files, but 30 minutes is a reasonable
approximation to start with. Rebuilding index files is necessary if the
search factor is 1, meaning that there are no copies of the index files
available to stream. A non-searchable bucket copy consisting of 4GB
rawdata can grow to a size approximating 10GB once the index files have
been added. As described earlier, the actual size depends on numerous
276
factors.
Certain conditions can generate errors during hot bucket replication and cause
the source peer to roll the bucket. While this behavior is generally beneficial to
the health of the indexer cluster, it can result in many small buckets across the
cluster, if errors occur frequently. Situations that can generate an unacceptable
number of small buckets include persistent network problems or repeated
offlining of peers.
To stop this behavior, you can temporarily put the cluster into maintenance
mode. This can be useful for system maintenance work that generates repeated
network errors, such as network reconfiguration. Similarly, if you need to upgrade
your peers or otherwise temporarily offline several peers, you can invoke
maintenance mode to forestall bucket rolling during that time.
In particular, the cluster does not perform fixup that entails replicating buckets or
converting buckets from non-searchable to searchable. This means that the
master does not enforce replication factor or search factor policy during
maintenance mode. Therefore, if the cluster loses a peer node during
277
maintenance mode, it can be operating under a valid but incomplete state. See
Indexer cluster states to understand the implications of this.
Similarly, if the cluster loses peer nodes in numbers greater than the replication
factor, it also loses its valid state for the duration of maintenance mode.
In addition, if the cluster loses even a single peer node while in maintenance
mode, it can potentially return incomplete results for searches running during the
subsequent period of primary fixup. This period is usually short, often just a few
seconds, but even a short period of primary fixup can affect in-progress
searches.
Maintenance mode works the same for single-site and multisite clusters. It has
no notion of sites.
Put the cluster into maintenance mode before starting maintenance activity.
Once you have finished with maintenance, you should disable maintenance
mode.
To invoke maintenance mode, run this CLI command on the master node:
Effective with version 6.6, maintenance mode persists across master restarts.
278
maintenance mode is off.
When you restart a master or peer node, the master rebalances the primary
bucket copies across the set of peers, as described in Rebalance the indexer
cluster primary buckets.
For information on configuration changes that require a restart, see Restart after
modifying server.conf? and Restart or reload after configuration bundle
changes?.
You ordinarily do not need to restart the entire cluster. If you change a master's
configuration, you restart just the master. If you update a set of common peer
configurations, the master restarts just the set of peers, and only when
necessary, as described in Update common peer configurations.
If, for any reason, you do need to restart both the master and the peer nodes:
1. Restart the master node, as you would any instance. For example, run this CLI
command on the master:
splunk restart
2. Once the master restarts, wait until all the peers re-register with the master,
and the master dashboard indicates that all peers and indexes are searchable.
See View the master dashboard.
3. Restart the peers as a group, by running this CLI command on the master:
If you need to restart the search head, you can do so at any time, as long as the
rest of the cluster is running.
279
Restart a single peer
You might occasionally have need to restart a single peer; for example, if you
change certain configurations on only that peer.
Do not use the CLI splunk restart command to restart the peer, for the reasons
described later in this section. Instead, there are two ways that you can safely
restart a single peer:
When you use Splunk Web or the splunk offline/splunk start commands to
restart a peer, the master waits 60 seconds (by default) before assuming that the
peer has gone down for good. This allows sufficient time for the peer to come
back on-line and prevents the cluster from performing unnecessary remedial
activities.
Note: The actual time that the master waits is determined by the value of the
master's restart_timeout attribute in server.conf. The default for this attribute is
60 seconds. If you need the master to wait for a longer period, you can change
the restart_timeout value, as described in Extend the restart period.
The splunk offline/splunk start restart method has an advantage over the
Splunk Web method in that it waits for in-progress searches to complete before
stopping the peer. In addition, since it involves a two-step process, you can use it
if you need the peer to remain down briefly while you perform some
maintenance.
For information on the splunk offline command, read Take a peer offline.
Caution: Do not use the splunk restart command to restart the peer. If you use
the splunk restart command, the master will not be aware that the peer is
restarting. Instead, after waiting a default 60 seconds for the peer to send a
heartbeat, the master will initiate the usual remedial actions that occur when a
peer goes down, such as adding its bucket copies to other peers. The actual time
the master waits is determined by the master's heartbeat_timeout attribute. It is
inadvisable to change its default value of 60 seconds without consultation.
280
Use rolling restart
A rolling restart performs a phased restart of all peer nodes, so that the indexer
cluster as a whole can continue to perform its function during the restart process.
A rolling restart also helps ensure that load-balanced forwarders sending data to
the cluster always have a peer available to receive the data.
To set the default rolling restart mode for the splunk rolling-restart
cluster-peers command, see Set rolling restart behavior in server.conf.
During a rolling restart, approximately 10% (by default) of the peer nodes
simultaneously undergo restart, until all peers in the cluster complete restart. If
there are less than 10 peers in the cluster, one peer at a time undergoes restart.
The master node orchestrates the restart process, sending a message to each
peer when it is its turn to restart.
The restart percentage tells the master how many restart slots to keep open
during the rolling-restart process. For example, if the cluster has 30 peers and
the restart percentage is set to the default of 10%, the master keeps three slots
open for peers to restart. When the rolling-restart process begins, the master
issues a restart message to three peers. As soon as each peer completes its
281
restart and contacts the master, the master issues a restart message to another
peer, and so on, until all peers have restarted. Under normal circumstances, in
this example, there will always be three peers undergoing restart, until the end of
the process.
At the end of the rolling restart period, the master rebalances the cluster primary
buckets. See Rebalance the indexer cluster primary buckets to learn more about
this process.
Here are a few things to note about the behavior of a rolling restart:
You can initiate a rolling restart from Splunk Web or from the command line.
282
If you make changes to the percentage, the master overrides the default
value for percent_peers_to_restart in server.conf and the new value
becomes the default.
5. (Optional) If the cluster is a multisite cluster, you can change the order in
which sites in the cluster restart. Click the Specify site order checkbox,
then click the drop-down boxes to arrange the available sites in the order
that you want them to restart.
The site order drop down boxes only appear if the cluster is a multisite
cluster.
6. Click Begin rolling restart.
You can invoke the splunk rolling-restart command from the master:
For example, to cause 20% of the peers to restart simultaneously, run this
command:
283
splunk edit cluster-config -percent_peers_to_restart 100
An immediate restart of all peers can be useful under certain circumstances,
such as when no users are actively searching and no forwarders are actively
sending data to the cluster. It minimizes the time required to complete the restart.
After you change the percent_peers_to_restart value, you must run the splunk
rolling-restart command to initiate the actual restart.
Splunk Enterprise 7.1.0 and later provides a searchable option for rolling restarts.
The searchable option lets you perform a rolling restart of peer nodes with
minimal interruption of ongoing searches. You can use searchable rolling restart
to minimize search disruption, when a rolling restart is required due to regular
maintenance or a configuration bundle push.
When you initiate a searchable rolling restart, the master performs a restart of all
peer nodes one at a time. During the restart process for each peer, the master
reassigns bucket primaries to other peers to retain the searchable state, and all
in-progress searches complete within a configurable timeout. The master then
restarts the peer and the peer rejoins the cluster. This process repeats for each
peer until the rolling restart is complete.
284
restart within the search's timeframe.
Before you initiate a searchable rolling restart, make sure the search_retry
attribute in the [search] stanza of limits.conf is set to false (the default).
Setting this to true might cause searches that take longer than the
decommission_search_jobs_wait_secs to generate duplicate or partial results
with no error message.
You can initiate a searchable rolling restart from Splunk Web or from the
command line.
Use the Force option with caution. This option can impact searches.
285
6. Click Begin Rolling Restart.
This initiates the searchable rolling restart. You can monitor the progress
of the searchable rolling restart in the Master dashboard.
To check the current health of the cluster, run the following command on the
master:
286
Searchable YES
Status Up
Bucket Count=14
Splunk Version=7.1.0
The table shows output values for the criteria used to determine the health of the
indexer cluster.
Output
Health Check Description
Value
Replication The cluster has the specified number of copies
YES
factor met of raw data.
Search factor The cluster has the specified number of
YES
met searchable copies of data.
All data is
YES The cluster has a searchable copy of all data.
searchable
CM version is The cluster master is running a compatible
YES
compatible version of Splunk Enterprise.
No cluster remedial activities (such as bucket
No fixup tasks in
YES replication or indexing non-searchable bucket
progress
copies) is underway.
All peers are up YES All indexer cluster peers are running.
Splunk version 7.1 or later : Number of peers running the Splunk Enterprise
peer count # of peers version.
Health checks are not all inclusive. Checks apply only to the criteria listed.
287
2. Initiate a searchable rolling restart
"Request rejected. Wait until search factor is met and all data is
searchable."
If you want to proceed with the searchable rolling restart despite the health check
failure, use the force option to override the health check and initiate the
searchable rolling restart, as follows:
You can set the default behavior for rolling restart using the rolling_restart
attribute in the [clustering] stanza of server.conf. This attribute lets you define
the type of rolling restart the master performs on the peers. It also provides a
288
convenient way to automatically load options for the splunk rolling-restart
cluster-peers command as an alternative to passing them from the command
line.
[clustering]
mode = master
replication_factor = 3
search_factor = 2
pass4SymmKey = whatever
rolling_restart = searchable
3. Restart the master.
289
Set searchable rolling restart as default mode for bundle push
To set searchable rolling restart as the default mode for configuration bundle
push, use the following attributes in the [clustering] stanza of server.conf:
For more information on configuration bundle push for indexer clusters, see
Apply the bundle to the peers.
[default]
defer_scheduled_searchable_idxc = false
3. Restart Splunk.
With a multisite cluster, by default, the rolling restart proceeds with site
290
awareness. That is, the master restarts all peers on one site before proceeding to
restart the peers on the next site, and so on. This ensures that the cluster is
always fully searchable, assuming that each site has a full set of primaries.
You can specify the site restart order, through the -site-order parameter.
For example, if you have a three-site cluster, you can specify rolling restart with
this command:
If you do not want the peer nodes to restart on a site-by-site basis, but instead
prefer the master to select the next restart peer randomly, from across all sites,
you can use the parameter -site-by-site=false.
How the master determines the number of multisite peers to restart in each
round
You can specify the percentage of peers that restart simultaneously by editing
the percent_peers_to_restart attribute in server.conf, in the same way that
you do for a single-site cluster. This percentage is always calculated globally,
even for site-aware rolling restarts.
291
Assuming the default of 10%, in a two-site cluster with 10 peers on site1 and 20
peers on site2, for a total of 30 peers, the master restarts three peers at a time.
1. The master selects a site to restart first, for example, site2. (The site order
is configurable.)
2. The master restarts three peers from site2.
3. The master continues to restart peers from site2 as slots become
available, until it restarts all 20 peers on site2. It waits until all peers on
site2 restart before proceeding to site1. The master does not split restart
slots across multiple sites.
4. The master restarts three peers on site1.
5. The master continues to restart peers from site1 until it restarts all 10
peers on site1.
If the peer instances restart slowly, the peers in one group might still be
undergoing restart when the master tells the next group to initiate restart. This
can occur, for example, due to inadequate machine resources. To remedy this
issue, you can increase the value of restart_timeout in the master's
server.conf file. Its default value is 60 seconds.
• Primary rebalancing
• Data rebalancing
Primary rebalancing
The goal of primary rebalancing is to balance the search load across the peer
nodes.
292
Primary rebalancing redistributes the primary bucket copies across the set of
peer nodes. It attempts, to the degree possible, to ensure that each peer has
approximately the same number of primary copies.
Primary rebalancing simply reassigns primary markers across the set of existing
searchable copies. It does not move searchable copies to different peer nodes.
Because of this limitation, primary rebalancing is unlikely to achieve a perfect
balance of primaries.
Because primary rebalancing only reassigns markers and does not cause any
bucket copies to move between peers, it occurs quickly.
Data rebalancing
The goal of data rebalancing is to balance the storage distribution across the
peer nodes.
During data rebalancing, the cluster moves bucket copies from peers with more
copies to peers with fewer copies. Since this type of rebalancing includes
searchable copies, it overcomes the limitation inherent in primary rebalancing
and achieves a significantly better balance of primaries.
When you start or restart a master or peer node, the master rebalances the set of
primary bucket copies across the peers, in an attempt to spread the primary
copies as equitably as possible. Ideally, if you have four peers and 300 buckets,
each peer would hold 75 primary copies. The purpose of primary rebalancing is
to even the search load across the set of peers.
To achieve primary rebalancing, the master reassigns the primary state from
existing bucket copies to searchable copies of the same buckets on other peers,
as necessary. This rebalancing is a best-effort attempt; there is no guarantee that
full, perfect rebalance will result.
293
Primary rebalancing occurs automatically whenever a peer or master node joins
or rejoins the cluster. In the case of a rolling restart, rebalancing occurs once, at
the end of the process.
Note: Even though primary rebalancing occurs when a new peer joins the
cluster, that peer won't participate in the rebalancing, because it does not yet
have any bucket copies. The rebalancing takes place among any existing peers
that have searchable bucket copies.
When performing primary rebalancing on a bucket, the master just reassigns the
primary state from one searchable copy to another searchable copy of the same
bucket, if there is one and if, by doing so, the balance of primaries across peers
will improve. It does not cause peers to stream bucket copies, and it does not
cause peers to make unsearchable copies searchable. If an existing peer does
not have any searchable copies, it will not gain any primaries during rebalancing.
If you want to initiate the primary rebalancing process manually, you can either
restart a peer or hit the
/services/cluster/master/control/control/rebalance_primaries REST
endpoint on the master. For example, run this command on the master node:
The start or restart of a peer on any site triggers primary rebalancing on all sites.
For example, if you restart a peer on site1 in a two-site cluster, rebalancing
occurs on both site1 and site2.
294
View the number of primaries on a peer
To gain insight into the primary load for any peer, you can use the
cluster/master/peers endpoint to view the number of primaries that the peer
currently holds. The primary_count shows the number of primaries that the peer
holds for its local site. The primary_count_remote shows the number of primaries
that the peer holds for non-local sites, including site0.
By using this endpoint on all your peers, you can determine whether the cluster
could benefit from primary rebalancing.
To rebalance indexer cluster data, you rebalance the set of bucket copies so that
each peer holds approximately the same number of copies. This helps ensure
that each peer has a similar storage distribution.
Imbalanced data increases the likelihood that one or more peers will run out of
disk space and thus transition to the detention state. In the detention state, the
peer no longer indexes new data, and so forwarders can no longer send data to
that peer. When that happens, a load-balanced forwarder shifts its incoming data
to other peers, increasing the indexing burden on those peers. In the worst-case
scenario, if the forwarder is not configured for load-balancing, its data gets lost.
In addition, as its existing data ages, the peer in detention will contain relatively
older data compared to other peers. Since most searches focus on newer data,
this means that the peer's data will typically get searched less frequently, shifting
295
the burden of the search load onto the peers that are not in detention.
Aside from detention considerations, imbalanced data can affect peer utilization
during searches. If some peer nodes hold more bucket copies for a particular
index compared to other peer nodes, they will have a greater part of the search
workload for searches on that index. For this reason, data rebalancing is
index-aware. When rebalancing completes, each peer will have approximately
the same number of bucket copies for each index.
• Newly added peer nodes. When you add a new peer, it initially has no
bucket copies. Through data rebalancing, you can move copies onto that
peer from other peers.
• Uneven forwarding of data. If the forwarders are sending more data to
some peer nodes, it is likely that those peers will hold more bucket copies.
Rebalancing provides a way to move copies from those peers to peers
with fewer copies.
296
Limitations of data rebalancing
Data rebalancing has limitations regarding its effect on storage utilization and its
effect on concurrent searches:
The master node controls the data rebalancing process. To achieve the goal of
equitable distribution of bucket copies across all peer nodes, the master moves
bucket copies from peers with an above-average number of copies to peers with
a below-average number of copies. It continues this process until the cluster is
balanced, with each peer holding approximately the same number of bucket
copies.
The cluster processes buckets sequentially, one after another, until rebalancing
is complete. It does not wait for one bucket to complete before starting
rebalancing on the next, so there will typically be a number of buckets
297
simultaneously undergoing rebalancing. See Control rebalancing load.
Data rebalancing removes any excess bucket copies, both at the start of the
rebalancing process and during rebalancing, as extra bucket copies are
generated.
The master performs primary rebalancing at the end of the data rebalancing
process.
The rebalancing process balances the bucket copies by index. When rebalancing
completes, each peer holds approximately the same number of bucket copies in
total, as well as the same number of copies split by index.
For example, say you have a cluster with four peers and two indexes, index1 and
index2. Index1 has 100 bucket copies distributed across all peers. Index2 has
300 copies distributed across all peers, for a total of 400 copies of all buckets
across all peers.
Before rebalancing, the bucket distribution across the set of peers might look like
this:
After rebalancing , the bucket distribution will look approximately like this:
298
♦ Index1: 25
♦ Index2: 75
• Peer2: 100 total
♦ Index1: 25
♦ Index2: 75
• Peer3: 100 total
♦ Index1: 25
♦ Index2: 75
• Peer4: 100 total
♦ Index1: 25
♦ Index2: 75
The degree to which you can balance a multisite cluster across sites depends on
the site replication and search factors. For example, if you have a site replication
factor of origin:2,total:3, the cluster maintains two-thirds of the copies on their
origin site. If one site originates more buckets than another, rebalancing cannot
address the resulting imbalance without violating the site replication factor, and
so the imbalance will remain. Similarly, the cluster will not rebalance in a way that
violates explicit site requirements. Intersite balancing does, however, balance
non-explicit copies across sites.
You can rebalance the data for all indexes or for just a single index. In addition,
you can set a timeout for the rebalancing.
To rebalance the data, run this CLI command on the master node:
299
a specified number of minutes. The rebalancing stops automatically if the
timeout limit is reached, even if there are still more buckets to process. For
details on what happens when data rebalancing stops prematurely, see
Stop data rebalancing.
You can also initiate rebalancing from the master dashboard. See Use the
master dashboard to initiate and configure rebalancing.
• Data rebalancing can cause primary bucket copies to move to new peers,
so search results are not guaranteed to be complete while data
rebalancing continues.
• The fix-up activities associated with data rebalancing have a low priority
compared to other bucket fix-up activities, such as maintaining the
replication and search factors, so rebalancing will wait while other fix-up
activity completes.
To stop data rebalancing prematurely, run this CLI command on the master
node:
To see whether data rebalancing is running, run this CLI command on the master
node:
300
Configure the data rebalancing threshold
The master attempts to achieve a reasonable, but not perfect, balance, in which
the resulting number of copies on each peer lies within a narrow range to either
side of the average number of copies for all peers.
With the default setting of 0.90, rebalancing continues until the number of copies
on each peer lies within a range of .90 to 1.10 of the average. For example, if you
have three peers holding between them a total of 300 copies, meaning that there
is an average of 100 copies per peer, the rebalancing process stops when every
peer holds between 90 and 110 copies.
If you decide instead that a 95% balance is preferable, you can set
rebalance_threshold to 0.95. The master will then perform any necessary
rebalancing until the number of copies on each peer lies within a range of .95 to
1.05 of the average.
The cluster considers each index individually against the threshold. That is, the
goal of the rebalancing is to ensure that each index is balanced to the tolerance
set by the rebalance_threshold attribute.
You can configure the rebalancing load to minimize the effect that the
consequent fix-up activity has on peer indexing and search performance.
301
max_peer_rep_load and max_peer_build_load in the [clustering] stanza of
server.conf.
Data rebalancing uses the value of these attributes reduced by 1, if the attribute
value is greater than 1. For example, if you set max_peer_rep_load to 4, then the
peer can participate in a maximum of three (not four) concurrent rebalancing
replications as a target.
You can initiate and configure rebalancing through the master dashboard. See
Configure the master with the dashboard.
1. Click the Edit button on the upper right side of the dashboard.
2. Select the Data Rebalance option.
A pop-up window appears with several fields.
3. Fill out the fields as necessary:
♦ Threshold. Change the rebalancing threshold.
♦ Max Runtime. Stop the rebalancing process after a set period of
time. If you leave this field empty, rebalancing continues until all
peers are within the threshold limit.
♦ Index. Run rebalancing on a single index or across all indexes.
4. To start rebalancing, click the Start button.
Excess copies do not interfere with the operation of the cluster, but they are
unnecessary and require extra disk space.
You can view and remove excess bucket copies from the Master dashboard or
from the CLI.
302
How excess copies originate
Excess copies can result from peers leaving the cluster and then returning to it.
When a peer goes down, the cluster initiates bucket fixing activities to
compensate for any copies on that peer, because those copies are no longer
available to the cluster. The goal of bucket fixing is return the cluster to the
complete state, where each bucket has a replication factor number of copies
and a search factor number of searchable copies.
If the peer later returns to the indexer cluster, any bucket copies that the peer
retained while down are once again available to the cluster. This can result in the
cluster maintaining excess copies of some buckets, as described in the topic
What happens when a peer node comes back up.
In effect, a returning peer can cause the cluster to store more copies of some
buckets than are needed to fulfill the replication factor and, possibly, the search
factor as well. It can sometimes be useful to keep the extra copies around, as
that topic explains, but you can save disk space by instead removing them.
1. On the master node, click Settings on the upper right side of Splunk Web.
This tab provides a list of indexes with excess bucket copies. It enumerates both
buckets with excess copies and buckets with excess searchable copies. It also
enumerates the total excess copies in each category. For example, if your index
"new" has one bucket with three excess copies, one of which is searchable, and
a second bucket with one excess copy, which is non-searchable, the row for
"new" will report:
303
• 2 buckets with excess copies
• 1 bucket with excess searchable copies
• 4 total excess copies
• 1 total excess searchable copies
If you want to remove the excess copies for a single index, click the Remove
button on the right side of the row for that index.
If you want to remove the excess copies for all indexes, click the Remove All
Excess Buckets button.
The Splunk CLI has two commands that help manage and remove excess bucket
copies. You can run these commands either across the entire set of indexes or
on just a single index.
To find out how many buckets have extra copies, including extra searchable
copies, run this command from the master:
index=_audit
Total number of buckets=4
Number of buckets with excess replication copies=0
Number of buckets with excess searchable copies=0
Total number of excess replication copies across all buckets=0
Total number of excess searchable copies across all buckets=0
index=_internal
Total number of buckets=4
Number of buckets with excess replication copies=0
Number of buckets with excess searchable copies=0
Total number of excess replication copies across all buckets=0
Total number of excess searchable copies across all buckets=0
index=main
Total number of buckets=5
Number of buckets with excess replication copies=5
Number of buckets with excess searchable copies=5
Total number of excess replication copies across all buckets=10
Total number of excess searchable copies across all buckets=5
304
Remove extra bucket copies
To remove all extra bucket copies from the cluster (or from one index on the
cluster), run this command from the master:
A peer can enter detention either automatically, in response to a low level of free
disk space, or manually.
Automatic detention
The peer node enters the detention state automatically when it runs low on disk
space. The setting that controls automatic detention is minFreeSpace in
server.conf. The default value is 5000, or 5GB, meaning that the peer enters
detention when it has less than 5GB of free disk space.
The peer automatically leaves the detention state when its free disk space grows
to exceed minFreeSpace.
Manual detention
305
• optionally disables external data ports, causing it to stop indexing most
types of external data.
• continues to index internal data.
• continues to participate in searches.
When you manually put a peer into the detention state, it remains in detention
until you remove it from detention. Manual detention persists through peer
restart.
You can optionally disable external data ports when setting a peer to manual
detention. This brings a halt to the indexing of most external data, including
• TCP inputs
• UDP inputs
• HTTP event collector data inputs
• data sent from a forwarder to the peer through its receiving port
However, external data can continue to enter the peer through these methods:
• scripted inputs
• file and folder monitoring
• the receivers/stream endpoint
In addition, the indexer can continue to route incoming data to another Splunk
Enterprise instance or to a third-party system.
Use cases
Here are some of the key use cases for manual detention:
• To bring a near halt to the growth of disk usage on the peer, for example,
if the peer is close to running out of space.
• To effectively decommission an old peer, making it available only for
searches on existing data.
• To stop a troublesome peer from handling external or replicated data,
while keeping the peer available for diagnostics.
• To force new data to go to the new peers, when you add new peers to a
cluster.
306
• To slow the growth of disk usage on a peer that belongs to a pre-approved
firewall exception list and needs to continue receiving incoming data. For
this use case, you can configure the peer to stop replication activity but
continue to consume external data.
To put a peer into detention, run the CLI command splunk edit cluster-config
with the -manual_detention parameter.
• on. The peer enters detention and closes the ports that consume incoming
data. These ports are the receiving TCP, UDP, and HTTP event collector
ports.The effect of closing the ports is to halt indexing of most external
data. The peer continues to index internal data. The peer stops replicating
data from other peer nodes.
• on_ports_enabled. The peer enters detention and the ports stay open to
accept incoming data. The peer continues to index both external and
internal data. The peer stops replicating data from other peer nodes.
• off. The peer is not in detention. This is the default.
You can run this command from the peer itself or from the master node.
Caution: The peer must be in the Up state, or "status," before you put it in
detention. For information on how to determine the status of a peer, see View the
master dashboard.
• -peers specifies the set of peers that you want to put in detention. Identify
each peer by its GUID. When you run the command from the master
node, you must include this parameter.
307
Take a peer out of manual detention
You can view the states, detention-related or otherwise, of all peers from the
master dashboard. See View the master dashboard.
You can also use the DMC to view the state of the peers.
• To view the state of all peers, run this command on the master:
308
• To view the state of a single peer, run this command on the peer:
You can use the splunk remove cluster-peers command to remove peers from
the list:
You can also remove the peer from the master's list by restarting the master.
For information on the master dashboard's list of peers, see View the master
dashboard.
309
Manage a multisite indexer cluster
In the meantime, the cluster continues to function as best it can. The peers
continue to stream data to other peers based on the list of target peers that they
were using at the time the master went down. If some of their target peers go
down (as would likely be the case in a site failure), they remove them from their
lists of streaming targets and continue to stream data to any peers remaining on
their lists.
1. Configure a stand-by master on at least one of the sites not hosting the current
master. See Replace the master node on the indexer cluster. This is a
preparatory step. You must do this before the need arises.
2. When the master site goes down, bring up a stand-by master on one of the
remaining sites. See Replace the master node on the indexer cluster.
Note: If the failed site later comes back up, you need to point the peers on that
site to the new master. See Ensure that the peer and search head nodes can find
the new master.
310
fulfill all aspects of the site replication factor (for example, in the case of site
failure).
• A site goes down and you later need to restart the master for any reason.
• The site with the master goes down and you bring up a stand-by master
on another site.
If a site goes down but the master, running on another site, remains up, indexing
continues as usual, because the master only runs the check at start-up.
Similarly, if site1, which has the master, goes down and you bring up a stand-by
master on site2, the new master initially blocks indexing because site1 is not
available. You can then use the command to tell the new master to restart
indexing.
Important: You must run the splunk set indexing-ready command every time
you restart the master under the listed circumstances. The command unblocks
indexing only for the current restart.
Note: Although this command is designed with site failure in mind, you can also
use it to restart indexing on a single-site cluster prior to the replication factor
number of peers being available. In that circumstance, however, it is usually
better just to wait until the replication number of peers rejoin the cluster.
311
1. Stop all cluster nodes (master/peers/search heads).
• Upon restart, the master picks a primary copy for each bucket.
• After the conversion, any bucket copies that exceed the single-site
replication factor remain in place. For information on removing these extra
copies, see Remove excess bucket copies.
• Future bucket replication and bucket fixing will follow the values set for the
single-site replication and search factors.
312
Move a peer to a new site
Use this procedure to relocate a peer to another site. This can be useful if a peer
was shipped to the wrong site and the mistake was discovered only after the
peer was deployed on the cluster.
1. Take the peer offline with the offline command, as described in Take a peer
offline. The master will reassign the bucket copies handled by this peer to other
peers in the same site.
3. Delete the entire Splunk Enterprise installation from the server, including its
index database with all bucket copies.
4. Reinstall Splunk Enterprise on the server, re-enable clustering, and set the
peer's site value to the new site location.
Decommission a site
Prerequsites
313
The cluster must meet these conditions before you decommission one of its
sites:
Steps
1. For each search head on the site, either disable the search head or
change the search head's site attribute to specify a remaining site. For
example, to change the search head's site to site2:
2. For each forwarder that uses indexer discovery and specifies the
decommissioned site, change its site attribute to specify a remaining site.
For example, to change the forwarder's site to site2:
[general]
site = site2
You must restart the forwarder for the configuration change to take effect.
See Use indexer discovery in a multisite cluster.
3. Run splunk enable maintenance-mode on the master. This step prevents
unnecessary bucket fix-ups. See Use maintenance mode.
4. To confirm that the master has entered maintenance mode, run splunk
show maintenance-mode.
5. Update these attributes on the master:
314
♦ available_sites
♦ site_replication_factor
♦ site_search_factor
♦ site_mappings
For details on the necessary updates, see Reconfigure attributes.
6. Restart the master. This step causes the attribute changes to take effect.
Note: When the master restarts, the peers from the decommissioned site
will unsuccessfully try to rejoin the cluster. Ignore the resulting messages.
7. Run splunk disable maintenance-mode on the master. This step starts
fix-up activities for peers on the remaining sites.
8. To confirm that the master has left maintenance mode, run splunk show
maintenance-mode.
9. Run splunk stop on each peer on the decommissioned site. You can now
remove these peers from the site.
10. To verify that that the decommissioning was successful, look at the top of
the master dashboard. It should state that both the search factor and the
replication factor are met. When both are met, the cluster is in a complete
state, indicating that the decommissioning was successful. See View the
master dashboard.
Note: Because site decommissioning typically involves a large amount of
bucket fix-up activity, it can take a considerable amount of time for the
cluster to return to its complete state.
Reconfigure attributes
When you decommission a site, you must make changes to several site-specific
attributes in server.conf on the master node:
• available_sites: Remove the decommissioned site from the site list for
this attribute.
• site_replication_factor and site_search_factor: If the
decommissioned site is an explicit site in either of these attributes, remove
it and otherwise reconfigure the attribute as necessary.
• site_mappings: Add a mapping for the decommissioned site to this
attribute. See Map the decommissioned site.
You must restart the master node after you change any of these attributes.
When a site gets decommissioned, the origin bucket copies for that site remain
bound to the decommissioned site until you map the site to a remaining, active
site. This can make the cluster unable to meet its replication or search factors.
315
To deal with this issue, you can map decommissioned sites to active sites. The
bucket copies for which a decommissioned site is the origin site will then be
replicated to the active site specified by the mapping, allowing the cluster to
again meet its replication and search factors.
Syntax
Map the site before you decommission it. See Decommission a site.
To map a site that you are planning to decommission to a remaining site, use the
site_mappings attribute in server.conf. Set this attribute on the master node
only, using this syntax:
316
site2:site4,site3:site4.
Examples
These examples assume a cluster that originally had five sites, site1 through
site5.
317
How indexer clusters work
• Replication factor. This specifies how many copies of the data the cluster
maintains. It influences the cluster's resiliency, its ability to withstand
multiple node failures.
• Search factor. This specifies how many copies of the data are
searchable. It influences how quickly a cluster can recover from a
downed node.
• Buckets. These are the basic storage containers for indexes. They
correspond to subdirectories in the indexer's database.
• Cluster states. These states describe the health of the cluster.
You can find an overview to these concepts in the introductory topic on cluster
architecture, Basic indexer cluster architecture. Topics in the chapter you are
now reading provide more detail.
Replication factor
As part of setting up an indexer cluster, you specify the number of copies of data
that you want the cluster to maintain. Peer nodes store incoming data in
buckets, and the cluster maintains multiple copies of each bucket. The cluster
stores each bucket copy on a separate peer node. The number of copies of each
bucket that the cluster maintains is the replication factor.
The cluster can tolerate a failure of (replication factor - 1) peer nodes. For
example, to ensure that your system can tolerate a failure of two peers, you must
configure a replication factor of 3, which means that the cluster stores three
identical copies of each bucket on separate nodes. With a replication factor of 3,
you can be certain that all your data will be available if no more than two peer
nodes in the cluster fail. With two nodes down, you still have one complete copy
of data available on the remaining peers.
318
By increasing the replication factor, you can tolerate more peer node failures.
With a replication factor of 2, you can tolerate just one node failure; with a
replication factor of 3, you can tolerate two concurrent failures; and so on.
The trade-off is that you need to store and process all those copies of data.
Although the replicating activity doesn't consume much processing power, still,
as the replication factor increases, you need to run more indexers and provision
more storage for the indexed data. On the other hand, since data replication itself
requires little processing power, you can take advantage of the multiple indexers
in a cluster to ingest and index more data. Each indexer in the cluster can
function as both originating indexer ("source peer") and replication target ("target
peer"). It can index incoming data and also store copies of data from other
indexers in the cluster.
In the following diagram, one peer is receiving data from a forwarder, which it
processes and then streams to two other peers.The cluster will contain three
complete copies of the peer's data, one copy on each peer.
319
as replicated data from other peers.
• To accommodate horizontal scaling, a cluster with a replication factor of 3
could consist of many more peers than three. At any given time, each
source peer would be streaming copies of its data to two target peers, but
each time it started a new hot bucket, its set of target peers could
potentially change.
Later topics in this chapter describe in detail how clusters process data.
A multisite cluster uses a special version of the replication factor, the site
replication factor. This determines not only the number of copies that the entire
cluster maintains but also the number of copies that each site maintains. For
information on the site replication factor, see Configure the site replication factor.
Search factor
When you configure the master node, you designate a search factor. The
search factor determines the number of searchable copies of data the indexer
cluster maintains. In other words, the search factor determines the number of
searchable copies of each bucket. The default value for the search factor is 2,
meaning that the cluster maintains two searchable copies of all data. The search
factor must be less than or equal to the replication factor.
With a search factor of at least 2, the cluster is able to continue searching with
little interruption if a peer node goes down. For example, say you specify a
replication factor of 3 and a search factor of 2. The cluster will maintain three
copies of all buckets on separate peers across the cluster, and two copies of
320
each bucket will be searchable. Then, if a peer goes down and it contains a
bucket copy that has been participating in searches, a searchable copy of that
bucket on another peer can immediately step in and start participating in
searches.
On the other hand, if the cluster's search factor is only 1 and a peer goes down,
there will be a significant lag before searching can resume across the full set of
cluster data. Although non-searchable copies of the buckets can be made
searchable, doing so takes time, because the index files must first be built from
the raw data file. The processing time can be significant if the peer that went
down was storing a large quantity of searchable data. For help estimating the
time needed to make non-searchable copies searchable, look here.
The reason you might want to limit the number of searchable copies on your
cluster is because searchable data occupies a lot more storage than
non-searchable data. The trade-off, therefore, is between quick access to all your
data in case of peer node failure versus increased storage requirements. For
help estimating the relative storage sizes of searchable and non-searchable data,
read Storage considerations. For most needs, the default search factor of 2
represents the right trade-off.
A multisite cluster uses a special version of the search factor, the site search
factor. This determines not only the number of searchable copies that the entire
cluster maintains but also the number of searchable copies that each site
maintains. For information on the site search factor, see Configure the site
search factor.
321
cluster and a replication factor of 3 (a typical scenario for horizontal scaling), the
cluster will maintain three copies of each bucket (the original copy on the source
peer and replicated copies on two target peers). Each time the source peer starts
a new hot bucket, the master gives the peer a new set of target peers to replicate
data to. Therefore, while the original copies will all be on the source peer, the
replicated copies of those buckets will be randomly spread across the other
peers.This behavior is not configurable. The one certainty is that you will never
have two copies of the same bucket on the same peer. In the case of a multisite
cluster, you can also configure the site location of the replicated copies, but you
still cannot specify the actual peer location.
The following diagram shows the scenario just described - five peers, a
replication factor of 3, and seven original source buckets, with their copies
spread across all the peers. To reduce complexity, the diagram only shows the
buckets for data originating from one peer. In a real-life scenario, most, if not all,
of the other peers would also be originating data and replicating it to other peers
on the cluster.
In this diagram, 1A is a source bucket. 1B and 1C are copies of that bucket. The
diagram uses the same convention with 2A/B/C, 3A/B/C, and so on.
You need a good grasp of buckets to understand cluster architecture. The rest of
this section describes some bucket concepts of particular importance for a
clustered deployment. For a thorough introduction to buckets, read "How the
indexer stores indexes".
322
Data files
Buckets contain a few other types of files as well, but these are the ones that are
most important to understand.
Rawdata is not actually "raw" data, as the term might be defined by a dictionary.
Rather, it consists of the external data after it has been processed into events.
The processed data is stored in a compressed rawdata journal file. As a journal
file, the rawdata file, in addition to containing the event data, contains all
information necessary to generate the associated index files, if they are missing.
All bucket copies, both searchable and non-searchable, contain rawdata files.
Searchable copies also contain index files.
When a peer node receives a block of data from a forwarder, it processes the
data and adds it to the rawdata file in its local hot bucket. It also indexes it,
creating the associated index files. In addition, it streams copies of just the
processed rawdata to each of its target peers, which then adds it to the rawdata
file in its own copy of the bucket. The rawdata in both the original and the
replicated bucket copies are identical.
If the cluster has a search factor of 1, the target peers store only the rawdata in
the bucket copies. They do not generate index files for the data. By not storing
the index files on the target peers, you limit storage requirements. Because the
rawdata is stored as a journal file, if the peer maintaining the original, fully
indexed data goes down, one of the target peers can step in and generate the
indexes from its copy of the rawdata.
If the cluster has a search factor greater than 1, some or all of the target peers
also create index files for the data. For example, say you have a replication factor
of 3 and a search factor of 2. In that case, the source peer streams its rawdata to
two target peers. One of those peers then uses the rawdata to create index files,
which it stores in its copy of the bucket. That way, there will be two searchable
copies of the data (the original copy and the replicated copy with the index files).
As described in "Search factor", this allows the cluster to recover more quickly in
case of peer node failure. For more information on searchable bucket copies, see
"Bucket searchability" later in this topic.
323
See these topics for more information on bucket files:
• For information on how bucket files get regenerated when a peer goes
down, read "What happens when a peer node goes down".
• For information on the relative sizes of rawdata and index files, read
"Storage considerations".
Bucket stages
• hot
• warm
• cold
• frozen
For detailed information about these stages, read "How the indexer stores
indexes".
For the immediate discussion of cluster architecture, you just need a basic
understanding of these bucket stages. A hot bucket is a bucket that's still being
written to. When an indexer finishes writing to a hot bucket (for example,
because the bucket reaches a maximum size), it rolls the bucket to warm and
begins writing to a new hot bucket. Warm buckets are readable (for example, for
searching) but the indexer does not write new data to them. Eventually, a bucket
rolls to cold and then to frozen, at which point it gets archived or deleted.
There are a couple other details that are important to keep in mind:
324
Bucket searchability and primacy states
Note: In the case of a multisite cluster, a valid cluster is a cluster that has a set of
primary copies for each site that supports search affinity. In search affinity,
search heads perform searches across the peers on their local site. This requires
that each site have its own set of primary buckets.
Initially, the copy of the bucket on the peer originating the data is the primary
copy, but this can change over time. For example, if the peer goes down, the
master reassigns primacy from any primary copies on the downed peer to
corresponding searchable copies on remaining peers. For more information on
this process, read "What happens when a peer node goes down".
Primacy reassignment also occurs when the master rebalances the cluster, in an
attempt to achieve a more even distribution of primary copies across the set of
peers. Rebalancing occurs under these circumstances:
325
• A master rejoins the cluster.
• You manually hit the rebalance_primaries REST endpoint on the master.
The following diagram shows buckets spread across all the peers, as in the
previous diagram. The cluster has a replication factor of 3 and a search factor of
2, which means that the cluster maintains two searchable copies of each bucket.
Here, the copies of the buckets on the source peer are all primary (and therefore
also searchable). The buckets' second searchable (but non-primary) copies are
spread among most of the remaining peers in the cluster.
Generations
Note: The actual set of buckets that get searched also depends on other factors
such as the search time range. This is true for any indexer, clustered or not.
The generation changes over time, as peers leave and join the cluster. When a
peer goes down, its primary bucket copies get reassigned to other peers. The
326
master also reassigns primaries under certain other circumstances, in a process
known as "cluster rebalancing".
All peers that are currently registered with the master participate in the current
generation. When a peer joins or leaves the cluster, the master creates a new
generation.
Note: Since the process of reassigning primary to new bucket copies is not
instantaneous, the cluster might quickly go through a number of generations
while reassigning primacy due to an event such as a downed peer, particularly in
the case where numerous primaries were residing on the downed peer.
The generation is a cluster-wide attribute. Its value is the same across all sites in
a multisite cluster.
• The peers keep track of which of their bucket copies are primary for each
generation. The peers retain primary information across multiple
generations.
• For each search, the search head uses the generation ID that it gets from
the master to determine which peers to search across.
327
reassigns primacy from bucket copies on the downed node to searchable
copies of the same buckets on the remaining nodes and creates a new
generation.
• Whenever rebalancing of the primary copies occurs, such as when you
manually hit the rebalance_primaries REST endpoint on the master. For
information on rebalancing, see "Rebalance the indexer cluster primary
buckets".
• When the master resolves certain bucket anomalies.
The master does not create a new generation merely when a bucket rolls from
hot to warm, thus causing a new hot bucket to get created (unless the bucket
rolled for one of the reasons listed above). In that situation, the set of peers
doesn't change. The search head only needs to know which peers are part of the
generation; that is, which peers are currently participating in the cluster. It does
not need to know which bucket copies on a particular peer are primary; the peer
itself keeps track of that information.
The search heads poll the master for the latest generation information at regular
intervals. When the generation changes, the master gives the search heads the
new generation ID and a list of the peers that belong to that generation. Each
search head, in turn, gives the peers the ID whenever it initiates a search. The
peers use the ID to identify which of their buckets are primary for that search.
Usually, a search occurs over the most recent generation of primary bucket
copies. In the case of long-running searches, however, it is possible that a
search could be running across an earlier generation. This situation typically
occurs because a peer went down in the middle of the search. This allows the
long-running search to complete, even though some data might be missing due
to the downed peer node. The alternative would be to start the search over
again, which you can always do manually if necessary.
The reason that a downed peer causes the master to create a new generation is
because, when a peer goes down, the master reassigns the downed peer's
primary copies to copies on other peers. A copy that was not primary for a
previous generation becomes primary in the new generation. By knowing the
generation ID associated with a search, a peer is able to determine which of its
buckets are primary for that search.
328
For example, the diagram that follows shows the same simplified version of a
cluster as earlier, after the source node holding all the primary copies has gone
down and the master has directed the remaining peers in fixing the buckets.
First, the master reassigned primacy to the remaining searchable copy of each
bucket. Next, it directed the peers to make their non-searchable copies
searchable, to make up for the missing set of searchable copies. Finally, it
directed the replication of a new set of non-searchable copies (1D, 2D, etc.),
spread among the remaining peers.
Even though the source node went down, the cluster was able to fully recover
both its complete and valid states, with replication factor number (3) of total
bucket copies, search factor number (2) of searchable bucket copies, and exactly
one primary copy of each bucket. This represents a different generation from the
previous diagram, because primary copies have moved to different peers.
Note: This diagram only shows the buckets originating from one of the peers. A
more complete version of this diagram would show buckets originating from
several peers as they have migrated around the cluster.
In the case of a standalone indexer, when a bucket rolls to frozen, the indexer
deletes it from its colddb directory. Depending on its retirement policy, the
indexer might copy it to an archive directory before deleting it. See "Archive
329
indexed data."
Note: In 6.3, a change was made in how the cluster responds to frozen primary
bucket copies, in order to prolong the time that a bucket remains available for
searching:
• In a pre-6.3 cluster, when a primary copy freezes, the cluster does not
attempt to reassign the primary to any other remaining searchable copy.
Searching on a bucket ceases once the primary is frozen.
• In 6.3 and later, when a primary copy freezes, the cluster reassigns the
primary to another searchable copy, if one exists. Searching then
continues on that bucket with the new primary copy. When that primary
also freezes, the cluster attempts to reassign the primary yet again to
another searchable copy. Once all searchable copies of the bucket have
been frozen, searching ceases on that bucket.
In both pre-6.3 and post-6.3, when a copy freezes, the cluster does not perform
fix-up on the bucket; that is, it does not attempt to create a new copy,or to
convert a non-searchable copy to searchable, to meet replication and search
factors for the bucket.
• A valid cluster has exactly one primary copy of each bucket. In the case
of a multisite cluster, a valid cluster has one full set of primary copies for
each site that supports search affinity.
330
fulfill the site-specific requirements for the replication and search factors.
• A valid cluster is able to handle search requests across the entire set of
data. A valid multisite cluster also meets any inherent search affinity goals.
When a peer node goes down, the master directs the cluster in activities
designed to recover both its valid and complete states. In some cases, the
cluster might be able to return to a valid state but not to a complete state. (For
example, consider a cluster containing three peers, with a replication factor of 3.
If one peer goes down, the cluster cannot recover its complete state as long as
the peer remains down, but it should be able to recover its valid state.) See
"What happens when a peer node goes down" for details on how the cluster
recovers from a downed node.
• Source node. The source node ingests data from forwarders or other
external sources.
• Target node. The target node receive streams of replicated data from the
source nodes.
In practice, a single peer functions as both a source and a target node, often
simultaneously.
Important: In a typical indexer cluster deployment, all the peer nodes are source
nodes; that is, each node has its own set of external inputs. This is not a
331
requirement, but it is generally the best practice. There is no reason to reserve
some peers for use just as target nodes. The processing cost of storing
replicated data is minimal, and, in any case, you cannot currently specify which
nodes will receive replicated data. The master determines that on a
bucket-by-bucket basis, and the behavior is not configurable. You must assume
that all the peer nodes will serve as targets.
Note: In addition to replicating external data, each peer replicates its internal
indexes to other peers in the same way. To keep things simple, this discussion
focuses on external data only.
Whenever the source peer starts a hot bucket, the master node gives it a list of
target peers to stream its replicated data to. The list is bucket-specific. If a source
peer is writing to several hot buckets, it could be streaming the contents of each
bucket to a different set of target peers.
The master chooses the list of target peers randomly. In the case of multisite
clustering, it respects site boundaries, as dictated by the replication factor, but
chooses the target peers randomly within those constraints.
1. The peer node registers with the master and receives the latest configuration
bundle from the master.
2. The master rebalances the primary bucket copies across the cluster and
starts a new generation.
3. The peer starts ingesting external data, in the same way as any indexer. It
processes the data into events and then appends the data to a rawdata file. It
also creates associated index files. It stores these files (both the rawdata and the
index files) locally in a hot bucket. This is the primary copy of the bucket.
4. The master gives the peer a list of target peers for its replicated data. For
example, if the replication factor is 3, the master gives the peer a list of two target
peers.
5. If the search factor is greater than 1, the master also tells the peer which of its
target peers should make its copy of the data searchable. For example, if the
332
search factor is 2, the master picks one specific target peer that should make its
copy searchable and communicates that information to the source peer.
6. The peer begins streaming the processed rawdata to the target peers
specified by the master. It does not wait until its rawdata file is complete to start
streaming its contents; rather, it streams the rawdata in blocks, as it processes
the incoming data. It also tells any target peers if they need to make their copies
searchable, as communicated to it by the master in step 5.
7. The target peers receive the rawdata from the source peer and store it in local
copies of the bucket.
8. Any targets with designated searchable copies start creating the necessary
index files.
9. The peer continues to stream data to the targets until it rolls its hot bucket.
Note: The source and target peers rarely communicate with each other through
their management ports. Usually, they just send and receive data to each other
over their replication ports. The master node manages the overall process.
This is just the breakdown for data flowing from a single peer. In a cluster,
multiple peers will be both originating and receiving data at any time.
When a source peer rolls a hot bucket to warm (for example, because the bucket
has reached its maximum size), the following sequence of events occurs:
1. The source peer tells the master and its target peers that it has rolled a bucket.
3. The source peer continues ingesting external data as this process is occurring.
It indexes the data locally into a new hot bucket and streams the rawdata to a
new set of target peers that it gets from the master.
4. The new set of target peers receive the rawdata for the new hot bucket from
the source peer and store it in local copies of the bucket. The targets with
designated searchable copies also start creating the necessary index files.
5. The source peer continues to stream data to the targets until it rolls its next hot
bucket. And so on.
333
How a peer node interacts with a forwarder
When a peer node gets its data from a forwarder, it processes it in the same way
as any indexer getting data from a forwarder. However, in a clustering
environment, you should ordinarily enable indexer acknowledgment for each
forwarder sending data to a peer. This protects against loss of data between
forwarder and peer and is the only way to ensure end-to-end data fidelity. If the
forwarder does not get an acknowledgment for a block of data it has sent to a
peer, it resends the block.
For details on how to set up forwarders to send data to peers, read "Use
forwarders to get your data into the indexer cluster". To understand how peers
and forwarders process indexer acknowledgment, read the section "How indexer
acknowledgment works" in that topic.
With a multisite indexer cluster, you can implement search affinity. With search
affinity, searches occur across peers on the same site as the search head. This
improves network efficiency without reducing access to the full set of cluster
data.
Under rare circumstances, described later, you might want to initiate a search on
a single peer.
Note: In an indexer cluster search, the search peers are the set of cluster peers
that are currently registered with the master (in other words, the peers that are
up-and-running and participating in the cluster).
334
1. The search head contacts the master node.
2. The master node gives the search head the current generation ID and a list of
the peers in that generation (that is, the peers that are currently registered with
the master).
3. The search head communicates with the search peers in the same way as in a
distributed search not involving an indexer cluster. It provides the peers with
exactly the same information (search request and knowledge bundle), except
that it also gives the search peers the generation ID.
4. The search peers use the generation ID to identify which of their bucket
copies, if any, are primary for the generation and thus need to participate in the
search. As in any other search, the peers also use the search's time range to
determine whether to search a particular bucket.
5. The search peers search their primary copies of buckets and send the results
back to the search head, which consolidates the results.
You can integrate the indexer cluster with a search head cluster, for search head
scaling and high availability. See "Integrate the search head cluster with an
indexer cluster" in the Distributed Search manual.
For details on these and other available features of distributed search, read the
Distributed Search manual, starting with "About distributed search". Also, read
"Configure the search head" in this manual to learn about a few configuration
differences when dealing with a search head in an indexer cluster.
In a multisite cluster, you typically put search heads on each site. This allows you
to take advantage of search affinity. In search affinity, searches normally run
across only peers on the same site as the requesting search head.
Search affinity is always enabled with multisite clusters. However, you must
perform a few steps to take advantage of it. Specifically, you must ensure that
both the searchable data and the search heads are available locally. For
information on how to set up search affinity, see "Implement search affinity in a
multisite indexer cluster".
Once a site has been configured for search affinity, the actual search process
works the same as for single-site clusters. The search head distributes the
current generation ID, along with the search and knowledge bundle, to all peers
335
across the entire cluster. The local peers, however, are the only ones to respond,
if the cluster is in a valid state. They search their primary buckets and return
results to the search head, using the generation ID to determine which of their
bucket copies are primary.
If the cluster is not in a valid state and the local site does not have a full
complement of primaries (typically, because some peers on the site are down),
remote peers also participate in the search, providing results from any primaries
missing from peers local to the site. In that case, the search does not adhere to
search affinity, in order to maintain access to the full set of data. Once the site
returns to a valid state, subsequent searches again adhere to search affinity.
For debugging purposes, you might occasionally need to search a single peer
node. You do this by initiating the search directly on the peer, in the usual
manner. The search accesses any searchable data on that peer. It does not
have access to unsearchable copies of data on the peer or to searchable copies
of data on other peers.
Note: Keep in mind that there is no way to configure exactly what data will be
searchable on any individual peer. However, at a minimum, all data that has
entered the cluster through the peer should be searchable on that peer.
You can configure the master so that the cluster does replicate summaries. All
searchable bucket copies will then have associated summaries. This is the
recommended behavior.
336
Note: The replicated summary feature is not available for peer nodes running
version 6.3 or below.
For details on report acceleration and data model acceleration, read the chapter
"Use data summaries to accelerate searches" in the Knowledge Manager
Manual.
The summaries reside on the peer nodes in their own directories. You specify the
directory locations in indexes.conf, with the summaryHomePath and
tstatsHomePath attributes for the report acceleration and data model acceleration
summaries, respectively. See the indexes.conf specification file for details.
Replicated summaries
If you want the cluster to replicate summaries, you must set this attribute in the
master node's server.conf file:
[clustering]
summary_replication = true
You must restart the master.
You can also use the CLI on the master node to set the attribute:
When the cluster is configured to replicate summaries, the cluster takes steps to
ensure that each searchable bucket copy has an associated summary copy:
• For hot buckets. The cluster creates a summary for each searchable
copy of a hot bucket.
337
When you turn on summary replication for the first time, the cluster might need to
replicate a large number of summaries. This can have an impact on network
bandwidth. To limit the number of summary replications occurring
simultaneously, you can change the value of the max_peer_sum_rep_load
attribute in the master node's server.conf file. Its default value is 5.
Non-replicated summaries
If you keep the default behavior, the cluster will not replicate summaries. This
section describes how the cluster handles non-replicated summaries.
If primacy gets reassigned from one copy of a bucket to another (for example,
because the peer holding the primary copy fails), the summary does not move to
the peer with the new primary copy. Therefore, it becomes unavailable. It will not
be available again until the next time Splunk Enterprise attempts to update the
summary, finds that it is missing, and then regenerates it.
In multisite clusters, like single-site clusters, the summaries reside with the
primary bucket copy. Because a multisite cluster has multiple primaries, one for
each site that supports search affinity, the summaries reside with the particular
primary that the generating search head accessed when running the search. Due
to site affinity, that usually means that the summaries reside on primaries on the
same site as the generating search head.
A search head with acceleration enabled runs special searches on the peers.
These searches build the summaries. See, for example, the description of
building report acceleration summaries in "Manage report acceleration" in the
Knowledge Manager Manual.
338
How indexer cluster nodes start up
This topic describes what happens when:
When a master node comes online (either the first time or subsequently), it
begins listening for cluster peers. Each online peer registers with the master, and
the master adds it to the cluster. The master waits until the replication factor
number of peers register, and then it starts performing its functions.
When you first deploy the cluster, you must enable the master before enabling
the peer nodes, as described in "Indexer cluster deployment overview". The
master blocks indexing on the peers until you enable and restart the full
replication factor number of peers.
After the 60 second quiet period is over, you can view the master dashboard for
information on the status of the cluster.
For more information on what occurs when a master goes down and then
restarts, see "What happens when the master node goes down".
When you initially deploy a cluster, you must first enable the master and then
enable the peer nodes, as described in "Indexer cluster deployment overview".
The master blocks indexing on the peers until you enable and restart the full
replication factor number of peers.
339
Each peer registers with the master when it comes online, and the master
automatically distributes the latest configuration bundle to it. The peer then
validates the configuration bundle locally. The peer will only join the cluster if
bundle validation succeeds.
The peer starts indexing data after the replication factor number of peers join the
cluster.
A peer can also come online at some later time, when the cluster is already up
and running with a master and the replication factor number of peers. The peer
registers with the master when it comes online, and the master distributes the
latest configuration bundle to it. The peer validates the configuration bundle
locally. The peer joins the cluster only if bundle validation succeeds.
No matter how a peer goes down, the master coordinates remedial activities to
recreate a full complement of bucket copies. This process is called bucket
fixing. The master keeps track of which bucket copies are on each node and
what their states are (primacy, searchability). When a peer goes down, the
master can therefore instruct the remaining peers to fix the cluster's set of
buckets, with the aim of returning to the state where the cluster has:
• Exactly one primary copy of each bucket (the valid state). In a multisite
cluster, the valid state means that there is a primary copy on each site that
supports search affinity, based on the site_search_factor.
340
• A full set of searchable copies for each bucket, matching the search
factor. In the case of a multisite cluster, the number of searchable bucket
copies must also fulfill the site-specific requirements for the search factor.
• A full set of copies (searchable and non-searchable combined) for each
bucket, matching the replication factor (the complete state). In the case of
a multisite cluster, the number of bucket copies must also fulfill the
site-specific requirements for the replication factor.
Barring catastrophic failure of multiple nodes, the master can usually recreate a
valid cluster. If the cluster (or the site in a multisite cluster) has a search factor of
at least 2, it can do so almost immediately. Whether or not a master can also
recreate a complete cluster depends on the number of peers still standing
compared to the replication factor. At least replication factor number of peers
must remain standing for a cluster to be made complete. In the case of a
multisite cluster, each site must have available at least the number of peers
specified for it in the site replication factor.
The time that the cluster takes to return to a complete state can be significant,
because it must first stream buckets from one peer to another and make
non-searchable bucket copies searchable. See Estimate the cluster recovery
time when a peer gets decommissioned for more information.
Besides the remedial steps to fix the buckets, a few other key events happen
when a node goes down:
• The master rolls the generation and creates a new generation ID, which
it communicates to both peers and search heads when needed.
• Any peers with copies of the downed node's hot buckets roll those copies
to warm.
The splunk offline command removes a peer from the cluster and then stops
the peer. It takes the peer down gracefully, allowing any in-progress searches to
complete while quickly returning the cluster to a fully searchable state.
• splunk offline: This is the fast version version of the splunk offline
command. The peer goes down quickly, after a maximum of five minutes,
even if searches or remedial activities are still in progress.
• splunk offline --enforce-counts: This is the enforce-counts version of
the command, which is designed to validate that the cluster has returned
341
to the complete state. If you invoke the enforce-counts flag, the peer does
not go down until all remedial activities are complete.
For detailed information on running the splunk offline command, see Take a
peer offline.
The fast version of the splunk offline command has this syntax:
splunk offline
This version of the command causes the following sequence of actions to occur:
3. Generation ID rolling. The master rolls the cluster's generation ID. At the end
of this step, the peer no longer joins in new searches, but it continues to
participate in any in-progress searches.
4. Full shutdown. The peer shuts down completely after a maximum of five
minutes, or when in-progress searches and primacy re-assignment activities
complete - whichever comes first. It no longer sends heartbeats to the master.
For details on the conditions that precede full shutdown, see The fast offline
process.
5. Restart count. After the peer shuts down, the master waits the length of the
restart_timeout attribute (60 seconds by default), set in server.conf. If the peer
comes back online within this period, the master rebalances the cluster's set of
primary bucket copies but no further remedial activities occur.
During this step, the peer's status is Restarting. If the peer does not come back
up within the timeout period, its status changes to Down.
342
6. Remedial activities. If the peer does not restart within the restart_timeout
period, the master initiates actions to fix the cluster buckets and return the cluster
to a complete state. It tells the remaining peers to replicate copies of the buckets
on the offline peer to other peers. It also compensates for any searchable copies
of buckets on the offline peer by instructing other peers to make non-searchable
copies of those buckets searchable. At the end of this step, the cluster returns to
the complete state.
If taking the peer offline results in less than replication factor number of
remaining peers, the cluster cannot finish this step and cannot return to the
complete state. For details on how bucket-fixing works, see Bucket-fixing
scenarios.
In the case of a multisite cluster, remedial activities take place within the same
site as the offline peer, if possible. For details, see Bucket-fixing in multisite
clusters.
The enforce-counts version of the splunk offline command has this syntax:
343
3. Generation ID rolling. The master rolls the cluster's generation ID. At the end
of this step, the peer no longer joins in new searches, but it continues to
participate in any in-progress searches.
4. Remedial activities. The master initiates actions to fix the cluster buckets so
that the cluster returns to a complete state. It tells the remaining peers to
replicate copies of the buckets on the offline peer to other peers. It also
compensates for any searchable copies of buckets on the offline peer by
instructing other peers to make non-searchable copies of those buckets
searchable. At the end of this step, the cluster returns to the complete state.
During this step, the peer's status is Decommissioning. For details on how
bucket-fixing works, see Bucket-fixing scenarios.
5. Full shutdown. The peer shuts down when the cluster returns to the complete
state. Once it shuts down, the peer no longer sends heartbeats to the master. At
this point, the peer's status changes to GracefulShutdown. For details on the
conditions that precede full shutdown, see The enforce-counts offline process.
When a peer node goes down for any reason besides the offline command, it
stops sending the periodic heartbeat to the master. This causes the master to
detect the loss and initiate remedial action. The master coordinates essentially
the same actions as when the peer gets taken offline intentionally, except for the
following:
Searches can continue across the cluster after a node goes down; however,
searches will provide only partial results until the cluster regains its valid state.
In the case of a multisite cluster, when a peer goes down on one site, the site
loses its search affinity, if any, until it regains its valid state. During that time,
searches continue to provide full results through involvement of remote peers.
Bucket-fixing scenarios
344
the cluster must ensure that it has a full complement of primary and searchable
copies.
Note: The bucket-fixing process varies somewhat for clusters with SmartStore
indexes. See Indexer cluster operations and SmartStore.
For example, assume that the downed peer had 10 bucket copies, and five of
those were searchable, and two of the searchable copies were primary. The
cluster must:
The third activity - streaming copies from one peer to another - can also take a
significant amount of time (depending on the amount of data to be streamed), as
described in Estimate the cluster recovery time when a peer gets
decommissioned.
345
The two examples below illustrate how a master 1) recreates a valid and
complete cluster and 2) creates a valid but incomplete cluster when insufficient
nodes remain standing. The process operates the same whether the peer goes
down intentionally or unintentionally.
• A cluster can be valid but incomplete if there are searchable copies of all
buckets, but there are less than replication factor number of copies of
buckets. So, if a cluster with a replication factor of 3 has exactly three peer
nodes and one of those peers goes down, the cluster can be made valid
but it cannot be made complete, since, with just two standing nodes, it is
not possible to fulfill the replication factor by maintaining three sets of
buckets.
Assume:
• The peer went down unintentionally (that is, not in response to an offline
command).
When the peer goes down, the master sends messages to various of the
remaining peers as follows:
1. For each of the three primary bucket copies on the downed peer, the master
identifies a peer with another searchable copy of that bucket and tells that peer to
346
mark the copy as primary.
When this step finishes, the cluster regains its valid state, and any subsequent
searches provide a full set of results.
2. For each of the 10 searchable bucket copies on the downed peer, the master
identifies 1) a peer with a searchable copy of that bucket and 2) a peer with a
non-searchable copy of the same bucket. It then tells the peer with the
searchable copy to stream the bucket's index files to the second peer. When the
index files have been copied over, the non-searchable copy becomes
searchable.
3. For each of the 20 total bucket copies on the downed peer, the master
identifies 1) a peer with a copy of that bucket and 2) a peer that does not have a
copy of the bucket. It then tells the peer with the copy to stream the bucket's
rawdata to the second peer, resulting in a new, non-searchable copy of that
bucket.
When this last step finishes, the cluster regains its complete state.
Assume:
• The peer went down unintentionally (that is, not in response to an offline
command).
Since the cluster has just three peers and a replication factor of 3, the downed
peer means that the cluster can no longer fulfill the replication factor and
therefore cannot be made complete.
347
When the peer goes down, the master sends messages to various of the
remaining peers as follows:
1. For each of the five searchable, primary bucket copies on the downed node,
the master first identifies a peer with a non-searchable copy and tells the peer to
make the copy searchable. The peer then begins building index files for that
copy. (Because the search factor is 1, there are no other searchable copies of
those buckets on the remaining nodes. Therefore, it is not possible for the
remaining peers to make non-searchable bucket copies searchable by streaming
index files from another searchable copy. Rather, they must employ the slower
process of creating index files from the rawdata file of a non-searchable copy.)
2. The master then tells the peers from step 1 to mark the five, newly searchable
copies as primary. Unlike the previous example, the step of designating other
bucket copies as primary cannot occur until non-searchable copies have been
made searchable. Because the cluster's search factor = 1, there are no standby
searchable copies.
Once step 2 completes, the cluster regains its valid state. Any subsequent
searches provide a full set of results.
3. For the 20 bucket copies on the downed node, the master cannot initiate any
action to make replacement copies (so that the cluster will again have the three
copies of each bucket, as specified by the replication factor), because there are
too few peers remaining to hold the copies.
Since the cluster cannot recreate a full set of replication factor number of copies
of buckets, the cluster remains in an incomplete state.
Pictures, too
The following diagram shows a cluster of five peers, with a replication factor of 3
and a search factor of 2. The primary bucket copies reside on the source peer
receiving data from a forwarder, with searchable and non-searchable copies of
that data spread across the other peers.
348
Note: This is a highly simplified diagram. To reduce complexity, it shows only the
buckets for data originating on one peer. In a real-life scenario, most, if not all, of
the other peers would also be originating data and replicating it to other peers on
the cluster.
The next diagram shows the same simplified version of the cluster, after the
source node holding all the primary copies has gone down and the master has
finished directing the remaining peers in fixing the buckets:
349
The master directed the cluster in a number of activities to recover from the
downed peer:
1. The master reassigned primacy from bucket copies on the downed peer to
searchable copies on the remaining peers. When this step finished, it rolled the
generation ID.
3. It directed the replication of a new set of non-searchable copies (1D, 2D, etc.),
spread among the remaining peers.
Even though the source node went down, the cluster was able to fully recover
both its complete and valid states, with replication factor number of total buckets,
search factor number of searchable bucket copies, and exactly one primary copy
of each bucket. This represents a different generation from the previous diagram,
because primary copies have moved to different peers.
The processes that multisite clusters use to handle node failure have some
significant differences from single-site clusters. See Multisite clusters and node
failure.
You can view the status of bucket fixing from the Master dashboard. See View
the master dashboard.
When a peer comes back up, it starts sending heartbeats to the master. The
master recognizes it and adds it back into the cluster. If the peer still has intact
350
bucket copies from its earlier activities in the cluster, the master adds those
copies to the counts it maintains of buckets. The master also rebalances the
cluster, which can result in searchable bucket copies on the peer, if any, being
assigned primary status. For information on rebalancing, see "Rebalance the
indexer cluster primary buckets."
Note: When the peer connects with the master, it checks to see whether it
already has the current version of the configuration bundle. If the bundle has
changed since it went down, the peer downloads the latest configuration bundle,
validates it locally, and restarts. The peer rejoins the cluster only if bundle
validation succeeds.
To understand what happens when a peer returns to the cluster, you must first
understand how the master tracks bucket copies.
The master maintains counts for each bucket in the cluster. For each bucket, it
knows:
The master also ensures that there's always exactly one primary copy of a given
bucket.
With multisite clusters, the master keeps track of copies and searchable copies
for each site, as well as for the cluster as a whole. It also ensures that each site
with an explicit search factor has exactly one primary copy of each bucket.
These counts allow the master to determine whether the cluster is valid and
complete. For a single-site cluster, this means that the cluster has:
• Exactly one primary copy of each bucket for each site with an explicit
search factor.
351
• A full set of searchable copies for each bucket, matching the search factor
for each site as well as for the cluster as a whole.
• A full set of copies (searchable and non-searchable) for each bucket,
matching the replication factor for each site as well as for the cluster as a
whole.
When a peer goes down, the master directs the remaining peers in bucket-fixing
activities. Eventually, if the bucket fixing is successful, the cluster returns to a
complete state.
If the peer later returns to the cluster, the master adds its bucket copies to its
counts (assuming that the copies were not destroyed by whatever problem
caused the peer to go down in the first place). The consequences vary somewhat
depending on whether bucket-fixing activity has completed by the time the peer
comes back up.
If bucket-fixing is finished
If bucket-fixing has already completed and the cluster is in a complete state, the
copies from the returned peer are just extras. For example, assume the
replication factor is 3 and the cluster has fixed all the buckets so that there are
again three copies of each bucket in the cluster, including the ones that the
downed peer was maintaining before it went down. When the downed peer then
comes back up with its copies intact, the master just adds those copies to the
count, so that instead of three copies, there will be four copies of some buckets.
Similarly, there could be an excess of searchable bucket copies if the returned
peer was maintaining some searchable bucket copies. These excess copies
might come in handy later, if another peer maintaining copies of some of those
buckets goes down.
If the cluster is still replacing the copies that were lost when the peer went down,
the return of the peer can curtail the bucket-fixing. Once the master has added
the copies on the returned peer to its counts, it knows that the cluster is complete
and valid, and so it will no longer direct the other peers to make copies of those
buckets. However, any peers that are currently in the middle of some
bucket-fixing activity, such as copying buckets or making copies searchable, will
complete their work on those copies. Since bucket-fixing is time-intensive, it is
worthwhile to bring a downed peer back online as soon as possible, particularly if
the peer was maintaining a large number of bucket copies.
352
Remove excess bucket copies
If the returning peer results in extra copies of some buckets, you can save disk
space by removing the extra copies. See Remove excess bucket copies from the
indexer cluster.
To deal with the possibility of a downed master, you can configure a stand-by
master that can take over if needed. For details, see "Replace the master node
on the indexer cluster".
If a master goes down, the cluster can continue to run as usual, as long as there
are no other failures. Peers can continue to ingest data, stream copies to other
peers, replicate buckets, and respond to search requests from the search head.
When a peer rolls a hot bucket, it normally contacts the master to get a list of
target peers to stream its next hot bucket to. However, if a peer rolls a hot bucket
while the master is down, it will just start streaming its next hot bucket to the
same set of peers that it used as targets for the previous hot bucket.
Eventually, problems will begin to arise. For example, if a peer goes down and
the master is still down, there will be no way to coordinate the necessary
remedial bucket-fixing activity. Or if, for some reason, a peer is unable to
connect with one of its target peers, it has no way of getting another target.
The search head can also continue to function without a master, although
eventually the searches will be accessing incomplete sets of data. (For example,
if a peer with primary bucket copies goes down, there's no way to transfer
primacy to copies on other peers, so those buckets will no longer get searched.)
The search head will use the last generation ID that it got before the master went
down. It will display a warning if one or more peers in the last generation are
down.
353
When the master comes back up
Peers continue to send heartbeats indefinitely, so that, when the master comes
back up, they will be able to detect it and reconnect.
When the master comes back up, it waits for a quiet period of 60 seconds, so
that all peers have an opportunity to re-register with it. Once the quiet period
ends, the master has a complete view of the state of the cluster, including the
state of peer nodes and buckets. Assuming that at least the replication factor
number of peers have registered with it, the master initiates any necessary
bucket-fixing activities to ensure that the cluster is valid and complete. In
addition, it rebalances the cluster and updates the generation ID as needed.
Bucket fixing can take some time to complete, because it involves copying
buckets and making non-searchable copies searchable. For help estimating the
time needed to complete the bucket-fixing activity, look here.
After the 60 second quiet period is over, you can view the master dashboard for
accurate information on the status of the cluster.
Note: You must make sure that at least replication factor number of peers are
running when you restart the master.
354
Implement SmartStore to reduce local
storage requirements
About SmartStore
SmartStore is an indexer capability that provides a way to use remote object
stores, such as Amazon S3, to store indexed data.
With SmartStore, you can reduce the indexer storage footprint to a minimum and
choose I/O optimized compute resources. Most data resides on remote storage,
while the indexer maintains a local cache that contains a minimal amount of data:
hot buckets, copies of warm buckets participating in active or recent searches,
and bucket metadata.
You can enable SmartStore for all indexes or for a subset of indexes.
SmartStore advantages
355
SmartStore offers additional advantages specific to deployments of indexer
clusters:
• Fast recovery from peer failure and fast data rebalacing, requiring only
metadata fixups for warm data.
• Lower overall storage requirements, as the system maintains only a single
permanent copy of each warm bucket.
• Full recovery of warm buckets even when the number of peer nodes that
goes down is greater than or equal to the replication factor.
• A bootstrapping capability that allows a new cluster to inherit the data from
an old cluster.
• Global size-based data retention.
• Simplified upgrades.
An intelligent cache manager ensures that, for most search use cases,
SmartStore provides similar performance to local storage configurations.
Choosing SmartStore
SmartStore can help you to achieve significant costs savings for medium to large
scale deployments. In particular, consider enabling SmartStore under these
circumstances:
356
and bucket fixup, because most of the data no longer resides on the peer
nodes.
• When most searches are over recent data.
There are a few situations where local storage might be a better choice:
• If you have a small deployment, with limited amounts of stored data, the
advantages of SmartStore might not compensate for the costs of setting
up and maintaining a remote store.
• If you have frequent need to run rare searches, SmartStore might not be
appropriate for your purposes, as rare searches can require the indexer to
copy large amounts of data from remote to local storage, causing a
performance impact. This is particularly the case with searches that cover
long timespans. If, however, the searches are across recent data and thus
the necessary buckets are already in the cache, then there is no
performance impact.
• If you run frequent long lookback searches, you might need to increase
your cache size or continue to rely on local storage.
The following capabilities are not available for SmartStore-enabled indexes. Their
corresponding settings must use their default values.
357
otherwise restricted
At this time, SmartStore support requires that your indexing tier conform to
certain restrictions:
SmartStore in a nutshell
A SmartStore-enabled index minimizes its use of local storage, with the bulk of
its data residing on remote object stores such as S3.
358
The key difference with SmartStore is that the remote object store becomes the
location for master copies of warm buckets, while the indexer's local storage is
used to cache copies of warm buckets currently participating in a search or that
have a high likelihood of participating in a future search.
A cache manager on the indexer fetches copies of warm buckets from the
remote store and places them in the indexer's local cache when the buckets are
needed for a search. The cache manager also evicts warm bucket copies from
the cache once their likelihood of being searched again diminishes.
With SmartStore indexes, as with non-SmartStore indexes, hot buckets are built
in the indexer's local storage cache. However, with SmartStore indexes, when a
bucket rolls from hot to warm, a copy of the bucket is uploaded to remote
storage. The remote copy then becomes the master copy of the bucket.
Eventually, the cache manager evicts the local bucket copy from the cache.
When the indexer needs to search a warm bucket for which it doesn't have a
local copy, the cache manager fetches a copy from remote storage and places it
in the local cache.
• Hot buckets. Hot buckets are created in local storage. They continue to
reside solely on the indexer until they roll to warm.
• Copies of warm buckets that are currently participating in searches.
• Copies of recently created or recently searched warm buckets. The
indexer maintains a cache of warm buckets, to minimize the need to fetch
the same buckets from remote storage repeatedly.
• Metadata for remote buckets. The indexer maintains a small amount of
information about each bucket in remote storage.
The buckets of SmartStore indexes ordinarily have just two active states: hot and
warm. The cold state, which is used with non-SmartStore indexes to distinguish
older data eligible for moving to cheap storage, is not necessary with SmartStore
because warm buckets already reside on inexpensive remote storage. Buckets
roll directly from warm to frozen.
Cold buckets can, in fact, exist in a SmartStore-enabled index, but only under
limited circumstances. Specifically, if you migrate an index from non-SmartStore
359
to SmartStore, any migrated cold buckets use the existing cold path as their
cache location, post-migration.
In all respects, cold buckets are functionally equivalent to warm buckets. The
cache manager manages the migrated cold buckets in the same way that it
manages warm buckets. The only difference is that the cold buckets will be
fetched into the cold path location, rather than the home path location.
The indexer's cache manager manages the local cache. It fetches copies of
warm buckets from remote storage when the buckets are needed for a search. It
also evicts buckets from the cache, based on factors such as the bucket's search
frequency, its data recency, and various other, configurable criteria.
Certain characteristics that are common to the great majority of Splunk platform
searches drive the cache manager's strategy for optimizing bucket location.
Specifically, most searches have these characteristics:
• They occur over near-term data. 97% of searches look back 24 hours or
less.
• They have spatial and temporal locality. If a search finds an event at a
specific time or in a specific log, it's likely that other searches will look for
events within a closely similar time range or in that log.
The cache manager therefore favors recently created buckets and recently
accessed buckets, ensuring that most of the data that you are likely to search is
available in local cache. Those buckets that are likely to participate in searches
only infrequently still exist on remote storage and can be fetched to local storage
as needed.
Indexer clusters
With SmartStore indexes, indexer clusters maintain replication and search factor
copies of hot buckets only. The remote storage is responsible for ensuring the
high availability, data fidelity, and disaster recovery of the warm buckets.
Because the remote storage handles warm bucket high availability, peer nodes
replicate only warm bucket metadata, not the buckets themselves. This means
that any necessary bucket fixup for SmartStore indexes proceeds much more
360
quickly than it does for non-SmartStore indexes.
If a group of peer nodes equaling or exceeding the replication factor goes down,
the cluster does not lose any of its SmartStore warm data because copies of all
warm buckets reside on the remote store.
Data streams to a source indexer, which indexes it and saves it locally in a hot
bucket. The indexer also replicates the hot bucket data to target indexers. So far,
the data flow is identical to the data flow for non-SmartStore indexes.
When the hot bucket rolls to warm, the data flow diverges, however. The source
indexer copies the warm bucket to the remote object store, while leaving the
existing copy in its cache, since searches tend to run across recently indexed
data. The target indexers, however, delete their copies, because the remote
store ensures high availability without the need to maintain multiple local
copies.The master copy of the bucket now resides on the remote store.
The cache manager on the indexer is central to the SmartStore data flow. It
fetches copies of buckets from the remote store, as necessary, to handle search
requests. It also evicts older or less searched copies of buckets from the cache,
361
as the likelihood of their participating in searches decreases over time. The job of
the cache manager is to optimize use of the available cache, while ensuring that
searches have immediate access to the buckets they need.
362
Deploy SmartStore
Indexer requirements
Hardware requirements
Hardware requirements, with the exception of local storage (see below), are the
same as for any Splunk Enterprise indexer. See:
If you are running Spunk Enterprise on local Linux machines, the preferred local
storage type is SSD.
If you are running Splunk Enterprise on AWS instances, use AWS with SSD (for
example, AWS I3s, AWS R5s).
The amount of local storage available on each indexer for cached data must be
in proportion to the expected working set. For best results, provision enough local
storage to accommodate the equivalent of 30 days' worth of indexed data. For
example, if the indexer is adding approximately 100GB/day of indexed data, the
recommended size reserved for cached data is 3000GB. At a minimum, provision
enough storage to keep at least 7-10 days of data in cache, as searches typically
occur on data indexed within the last 7 - 10 days.
363
Note: The size of data indexed is typically around 50% of the size of data
ingested, due to compression of data during indexing. However, there are a
number of other factors that also enter into determining the size ratio of indexed
data to ingested data. For a general discussion of Splunk Enterprise data volume
and how to estimate your storage needs, refer to "Estimating your storage
requirements" in the Installation Manual.
• The distribution of ingested data across the indexer cluster. Strive for
balanced data ingestion across the indexers, so that all the indexers are
indexing, and storing, approximately the same amount of data.
• The number of hot buckets on the indexers. Hot buckets follow replication
and search factor policies, so they have, on a per bucket basis, larger
storage requirements than warm buckets of the same size.
For purposes of configuring size, the cache is identical with the partition that the
cache resides on. Typically, that partition also includes many other files, such as
splunk binaries, the operating system, search artifacts, non-SmartStore indexes
(if any), and so on. The index data itself resides in $SPLUNK_DB. For more
information on cache sizing, see "Initiate eviction based on occupancy of the
cache's disk partition".
Each on-prem machine must run the same Linux 3.x+ 64-bit operating system.
If, instead, you are running Splunk Enterprise on AWS instances, use AWS with
SSD (for example, AWS I3s, AWS R5s).
All nodes (peer nodes, master node, and search heads) in the indexer cluster
must be running the same version of Splunk Enterprise, down to the
maintenance level.
You must enable SmartStore for the same set of indexes on all peer nodes.
364
For indexer cluster requirements in general, see System requirements and other
deployment considerations for indexer clusters.
Network requirements
The indexers are clients of the remote store and use the standard https port to
communicate with it.
Later, when you configure remote volumes for SmartStore, you configure settings
specific to the remote store in indexes.conf. The indexer uses those settings to
communicate with the remote store.
• S3
• S3-API-compliant object stores
365
See the Amazon S3 documentation for information on on how to create and
configure buckets.
For S3-specific settings available through Splunk Enterprise, search for settings
in the indexes.conf spec file that start with remote.s3.
Even with a SmartStore index, some index data is temporarily stored locally, in
the cache. However, except for hot buckets, the index's master copies of buckets
are stored remotely. For the sake of simplicity, the list of storage options
assumes the index's master copies when discussing storage volumes and does
not consider data stored locally in the SmartStore cache.
366
SmartStore security strategies
SmartStore security strategies vary according to the type of remote storage
service. This topic covers security when using S3 as the remote storage service.
If the indexer is running on EC2, use the access and secret keys from its IAM
role.
If the indexer is not running on EC2, use hardcoded keys in indexes.conf. These
are the relevant settings for hardcoding the S3 keys:
For more information on these attributes, see the indexes.conf spec file.
The credentials you use, whether from the IAM role or from indexes.conf, need
permission to perform S3 operations. They also need permission to perform KMS
operations, if you are encrypting data-at-rest on the remote store.
The SSL certification settings vary according to the remote storage service type.
This section provides information for managing SSL for an S3 remote store,
using the settings provided in indexes.conf. For more details on any of these
settings, as well as for information on additional S3-related SSL settings, see the
indexes.conf spec file.
367
The following table includes common attributes and their recommended values.
368
Choosing the encryption method is a one-time decision. You cannot change the
encryption method later.
See the indexes.conf spec file for detailed information on each of these settings.
Also, read the Amazon documentation for configuring server-side encryption.
Encryption occurs at the time of data upload. When you configure encryption for
the remote volume, you do not cause data already on the volume to be
encrypted.
[volume:example_volume]
remote.s3.encryption = sse-c
remote.s3.encryption.sse-c.key_type = kms
remote.s3.encryption.sse-c.key_refresh_interval = 86400
// 86400 equals 24 hours. This is the default and recommended value. The
minimum value is 3600.
// Setting a very low value can degrade performance.
remote.s3.kms.auth_region = <aws_region>
remote.s3.kms.key_id = <kms_keyid>
// The kms_keyid must be a unique key ID, the Amazon Resource Name (ARN)
of the CMK,
// or the name or ARN of an alias that points to the CMK.
[volume:example_volume]
369
remote.s3.encryption = sse-s3
Encryption with sse-kms
[volume:example_volume]
remote.s3.encryption = sse-kms
remote.s3.kms.key_id = <kms_keyid>
Note: This procedure configures SmartStore for a new indexer cluster only. It
does not describe how to load existing data onto an indexer cluster. To migrate
existing local indexes to SmartStore, see Migrate existing data on an indexer
cluster to SmartStore. To bootstrap existing SmartStore data onto a new indexer
cluster, see Bootstrap SmartStore indexes onto an indexer cluster.
Prerequisites
Read:
Deploy SmartStore
The following procedure assumes that you are deploying SmartStore on a new
indexer cluster. It also assumes that you are deploying SmartStore for all indexes
on the cluster, using a single remote location. If you want to deploy SmartStore
for some indexes only, or if you want to use multiple remote locations for the
SmartStore indexes, you can modify the procedure to fit your need.
370
1. Ensure that you have met the prerequisites. In particular, read:
♦ SmartStore system requirements
♦ Configure the remote store for SmartStore
2. Understand SmartStore security strategies and prepare to implement
them as necessary during the deployment process. See SmartStore
security strategies.
3. Install a new Splunk Enterprise instance and enable it as the master node
for a new indexer cluster. See Enable the indexer cluster master node.
4. Set the indexer cluster's replication factor and search factor to equal
values, for example, 3/3.
5. On the master node, create or edit
$SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf and
specify the SmartStore settings, as shown in the example below. When
the peer nodes later start up, the master automatically distributes these
settings, along with the rest of the configuration bundle, to the peer nodes.
[default]
# Configure all indexes to use the SmartStore remote volume called
# "remote_store".
# Note: If you want only some of your indexes to use SmartStore,
# place this setting under the individual stanzas for each of the
# SmartStore indexes, rather than here.
remotePath = volume:remote_store/$_index_name
repFactor = auto
371
# of the indexes inside the remote system.
# This is an S3 example: "path = s3://mybucket/some/path".
path = <scheme>://<remote-location-specifier>
This command recursively lists any files that are present in the
remote volume. It is recommended that you first place a sample
text file in the remote volume. If you see the file when you run the
command, you have access to the remote store.
3. Send some data to the indexers and wait for buckets to roll. If you
don't want to wait for buckets to roll naturally, you can manually roll
372
some buckets from a peer node:
services/admin/cacheman/<cid>/evict
where <cid> is bid|<bucketId>|. For example:
?bid|taktaklog~0~7D76564B-AA17-488A-BAF2-5353EA0E9CE5|?
2. Run a search locally on the indexer. The search must be one
that requires data from the evicted bucket.
The indexer must now transfer the bucket from remote storage to
run the search. After running the search, you can check that the
bucket has reappeared in the cache.
Follow-on steps
This step is extremely important, to avoid unwanted bucket freezing and possible
data loss. SmartStore bucket-freezing behavior and settings are different from
the non-SmartStore behavior and settings.
373
Once you have made these changes to the configuration bundle on the master
node, apply the bundle to distribute the settings to the peer nodes:
This procedure describes how to migrate all the indexes on the indexer cluster to
SmartStore. You can modify the procedure if you only want to migrate some of
the indexes. Indexers support a mixed environment of SmartStore and
non-SmartStore indexes.
Because this process requires the cluster to upload large amounts of data, it can
take a long time to complete and can have a significant impact on concurrent
indexing and searching.
Migrate data
Prerequisites
• Read:
♦ SmartStore system requirements
♦ Configure SmartStore
♦ Update common peer configurations and apps
♦ Configure the remote store for SmartStore
♦ Choose the storage location for each index
374
♦ Documentation provided by the vendor of the remote storage
service that you are using
• If the cluster was once migrated from single-site to multisite, you must
convert any pre-existing, single-site buckets to follow the multisite
replication and search policies. To do so, change the
constrain_singlesite_buckets setting in the master's server.conf file to
"false" and restart the master node. See Configure the master to convert
existing buckets to multisite.
• The cluster should be on the smaller side, with a maximum of 20 indexers.
If you want to migrate a larger cluster, consult Splunk Professional
Services.
• Reconfigure the cluster as necessary to conform with the lists of
unsupported features, current restrictions, and incompatible settings:
♦ Features not supported by SmartStore
♦ Current restrictions on SmartStore use. Regarding the requirement
that replication factor and search factor be equal, you can make
this change post-migration.
♦ Settings in indexes.conf that are incompatible with SmartStore or
otherwise restricted
Steps
1. Ensure that you have met all prerequisites relevant to this test setup. In
particular, read:
♦ SmartStore system requirements
♦ Configure the remote store for SmartStore
2. Understand SmartStore security strategies and prepare to implement
them as necessary during the deployment process. See SmartStore
security strategies.
3. Install a new Splunk Enterprise instance. For information on how to install
Splunk Enterprise, read the Installation Manual.
375
Edit indexes.conf in $SPLUNK_HOME/etc/system/local to specify the
SmartStore settings for your indexes. These should be the same group of
settings that you intend to use later on your production deployment.
[default]
# Configure all indexes to use the SmartStore remote volume called
# "remote_store".
# Note: If you want only some of your indexes to use SmartStore,
# place this setting under the individual stanzas for each of the
# SmartStore indexes, rather than here.
remotePath = volume:remote_store/$_index_name
path = <scheme>://<remote-location-specifier>
376
4. thawedPath = $SPLUNK_DB/cs_index/thaweddb
coldPath = $SPLUNK_DB/cs_index/colddb
For details on these settings, see Configure SmartStore. Also see
indexes.conf.spec in the Admin Manual.
5. Restart the instance.
6. Test the deployment:
1. To confirm remote storage access, run this command on the
instance:
This command recursively lists any files that are present in the
remote store. It is recommended that you first place a sample text
file in the remote store. If you see the file when you run the
command, you have access to the remote store.
2. Send some data to the instance and wait for buckets to roll. If you
don't want to wait for buckets to roll naturally, you can manually roll
some buckets:
services/admin/cacheman/<cid>/evict
where <cid> is bid|<bucketId>|. For example:
?bid|taktaklog~0~7D76564B-AA17-488A-BAF2-5353EA0E9CE5|?
2. Run a search that requires data from the evicted bucket.
The instance must now transfer the bucket from remote storage to
run the search. After running the search, you can check that the
bucket has reappeared in the cache.
In this procedure, you configure your cluster for SmartStore. The goal of the
procedure is to migrate all existing warm and cold buckets on all indexes to
SmartStore. Going forward, all new warm buckets will also reside in SmartStore.
377
The migration process takes a while to complete. If you have a large amount of
data, it can take a long while. Expect some degradation of indexing and search
performance during the migration. For that reason, it is best to schedule the
migration for a time when your indexers will be relatively idle.
Steps
Do not replace the existing indexes.conf file, because you need to keep
its current settings, such as its index-definition settings. Instead, merge
these additional settings into the existing file. Be sure to remove any other
copies of these settings from the file.
[default]
# Configure all indexes to use the SmartStore remote volume
called
378
# "remote_store".
# Note: If you want only some of your indexes to use
SmartStore,
# place this setting under the individual stanzas for each
of the
# SmartStore indexes, rather than here.
remotePath = volume:remote_store/$_index_name
path = <scheme>://<remote-location-specifier>
379
splunk apply cluster-bundle --answer-yes
11. Start all the peer nodes. Wait briefly for the peer nodes to download the
configuration bundle with the SmartStore settings. To view the status of
the configuration bundle process, you can run the splunk show
cluster-bundle-status command, described in Update common peer
configurations and apps.
12. Run splunk disable maintenance-mode on the master. To confirm that the
master is not in maintenance mode, run splunk show maintenance-mode.
13. Wait briefly for the peer nodes to begin uploading their warm and cold
buckets to the remote store.
Cold buckets use the cold path as their cache location, post-migration.
380
services/admin/cacheman/<cid>/evict
where <cid> is bid|<bucketId>|. For example:
?bid|taktaklog~0~7D76564B-AA17-488A-BAF2-5353EA0E9CE5|?
3. Run a search locally on the peer node. The search must be one
that requires data from the evicted bucket.
The peer must now transfer the bucket from remote storage to run the
search. After running the search, you can check that the bucket has
reappeared in the cache.
If you need to restart the cluster during migration, upon restart, migration will
continue from where it left off.
Refrain from rebalancing data or removing excess buckets until you have run the
SmartStore-enabled cluster successfully for a while. In particular, run these
operations only after you have set the replication factor and search factor to use
equal values and the cluster has performed any related bucket fixup.
You can run an endpoint from the master node to determine the status of the
migration:
381
Once migration.status reaches "finished" on all peers, the migration is finished,
and current_job will match total_jobs.
Note: If any peer restarts during migration, its migration information is lost, and
this endpoint cannot be used to check status of that peer, although the migration
will, in fact, resume. The peer's reported status will remain "not_started" even
after migration resumes.
Instead, you can run the following endpoint on the restarted peer:
For example, if you want to replace an indexer cluster, you can take down the old
cluster and bootstrap a new cluster. The new cluster inherits all the buckets from
the old cluster. This can be useful if you need to upgrade the machines running
your indexer cluster.
You cannot run two indexer clusters against the same remote store. That is, you
must shut down the cluster currently accessing buckets from the remote store
before you bootstrap a new cluster to access the same buckets from the remote
store.
You can bootstrap all indexes, or just a subset of indexes, from the remote store.
See Deploy SmartStore on a new indexer cluster for information on how to use
382
indexes.conf to configure SmartStore either globally or on a per-index basis.
You can bootstrap SmartStore indexes when the cluster initially starts up or later
in its life cycle. This section describes how to bootstrap indexes at cluster initial
start-up. The process for bootstrapping indexes later is a simple variant of adding
an index to an existing indexer cluster.
1. Bring down the old cluster after ensuring that all local data, including data
from any hot buckets, is available on the remote store.
2. Bring up the new cluster and configure its indexes for SmartStore. Follow
the procedure in Deploy SmartStore on an indexer cluster.
Note the following:
♦ When configuring indexes.conf, include all indexes that you want
to bootstrap onto the new cluster.
♦ You must set repFactor=auto on all indexes that you intend to
bootstrap.
♦ Configure the path attribute to point to the same remote storage
location as on the old cluster.
♦ You must maintain the remote store encryption and access settings
used by the old cluster.
♦ All indexes that you bootstrap must be SmartStore-enabled on the
new cluster. You cannot use bootstrapping to revert an index to
non-SmartStore.
• When the replication factor number of peer nodes have registered with the
master after indexer cluster start-up.
• After the master pushes a new bootstrapping configuration to the peer
nodes through the configuration bundle method. This allows you to
bootstrap SmartStore indexes after the cluster is already up and running,
or to bootstrap SmartStore indexes selectively at varying points in the life
of the cluster.
383
1. The master obtains a list of all SmartStore indexes from the peer nodes.
2. Bootstrapping proceeds on a per-index basis:
1. The master assigns one peer to obtain a list of all buckets for the
index from the remote store.
2. The peer returns the bucket list to the master in batches.
The bootstrapping process proceeds quickly because only the bucket metadata
is downloaded and replicated. The bucket contents themselves are not
downloaded during bootstrapping, but only later, if needed for searching.
384
Manage SmartStore
Configure SmartStore
SmartStore configuration settings reside in three files:
• indexes.conf
• server.conf
• limits.conf
You can enable SmartStore for all of an indexer's indexes, or you can enable
SmartStore on an index-by-index basis, allowing a mix of SmartStore and
non-SmartStore indexes on the same indexer.
When you configure these settings on an indexer cluster's peer nodes, you must
deploy the settings through the configuration bundle method. As with all settings
in indexes.conf, SmartStore settings must be the same across all peer nodes.
Stanza
SmartStore indexes.conf setting Description
level
Enables SmartStore and
index sets the remote path for
remotePath = <root path for remote
volume>
or the index's volume. See
global Deploy SmartStore on a
new indexer cluster.
Sets the volume's
storage type to remote.
storageType = remote volume
See Deploy SmartStore
on a new indexer cluster.
path = volume Sets the remote storage
<scheme>://<remote-location-specifier> location where indexes
reside. See Deploy
SmartStore on a new
385
indexer cluster.
Determines bucket
freezing behavior. Sets
the maximum amount of
space that the warm
index buckets of a SmartStore
maxGlobalDataSizeMB = <integer> or index can occupy. When
global this maximum is
exceeded, the oldest
bucket gets frozen. See
Configure data retention
for SmartStore indexes.
Specifies the time period,
based on the bucket's
age, that the cache
manager attempts to
protect a recent bucket
from eviction. This setting
hotlist_recency_secs = <integer> index operates on a per-index
level, while the version of
the setting in
server.conf operates
across all indexes. See
Configure the SmartStore
cache manager.
Specifies the time period,
based on the bucket's
age, that the cache
manager attempts to
protect the bucket's
non-journal and non-tsidx
files, such as the
hotlist_bloom_filter_recency_hours = bloomfilter file, from
index
<integer> eviction. This setting
operates on a per-index
level, while the version of
the setting in
server.conf operates
across all indexes. See
Configure the SmartStore
cache manager.
386
If remotePath is specified for an index, the index's coldPath setting is ignored.
However, you must still specify a value for coldPath, even though it is ignored.
In indexes.conf, you can also configure various settings specific to your remote
storage type. For example, there are a number of settings that begin with
remote.s3. These settings are specific to S3, such as remote.s3.access_key and
remote.s3.secret_key. You configure these settings in the stanza where you
configure the remote volume.
For SmartStore indexes, always use the default value of "auto" (750 MB) for
maxDataSize. This setting, which is not specific to SmartStore, controls the
maximum bucket size,
387
minFreeSpace that the
cache manager uses
as the threshold to
start evicting data. See
Configure the
SmartStore cache
manager.
Specifies the time
period, based on the
bucket's age, that the
cache manager
attempts to protect a
recent bucket from
eviction. This setting
operates on a global
hotlist_recency_secs = <integer> [cachemanager] level, across all
indexes, while the
version of the setting
in indexes.conf
operates on a
per-index level. See
Configure the
SmartStore cache
manager.
hotlist_bloom_filter_recency_hours [cachemanager] Specifies the time
= <integer> period, based on the
bucket's age, that the
cache manager
attempts to protect the
bucket's non-journal
and non-tsidx files,
such as the
bloomfilter file, from
eviction. This setting
operates on a global
level, across all
indexes, while the
version of the setting
in indexes.conf
operates on a
per-index level. See
Configure the
388
SmartStore cache
manager.
Includes various,
mostly low-level,
settings that control
various settings [clustering]
remote bucket
operations in indexer
clusters.
Causes the splunk
clean eventdata
cleanRemoteStorageByDefault =
[general] command to clean the
<bool>
remote indexes.
Defaults to "false".
For details on these and other server.conf settings, see server.conf.spec.
Most of the SmartStore server.conf settings, including all of the common ones,
are configured on the peer nodes. A few rarely-changed settings are configured
instead on the master node. All settings configured on the peer nodes must be
the same across all peer nodes.
389
For information on features that are unsupported or restricted when using
SmartStore, see:
• bloomHomePath
• summaryHomePath
• tstatsHomePath
• maxWarmDBCount
• maxTotalDataSizeMB
• warmToColdScript
• homePath.maxDataSizeMB
• coldPath.maxDataSizeMB
Since the cache manager removes only the cached copies of buckets, the
eviction process does not result in loss of data. The master copies continue to
reside in remote storage,
For details on how the cache manager operates, see The SmartStore cache
manager.
390
Cache manager settings reside in the [cachemanager] stanza in server.conf. You
configure the cache manager on an indexer cluster's peer nodes.
The cache manager operates at the global level. Aside from the recency settings,
you cannot configure the cache manager on a per-index basis.
Eviction
Description
policy
lru (default) Evict the least recently used bucket.
Evict the bucket with the oldest events first, unless it has been
clock
accessed recently.
lrlt Evict the bucket with the oldest events first.
random Randomly evict a bucket.
noevict Don?t evict.
Do not change eviction_policy from its default value of "lru" without consulting
Splunk Support.
391
When the occupied space on the cache's partition exceeds max_cache_size, or
the partition's free space falls below (minFreeSpace +eviction_padding), the
cache manager begins to evict data.
You can protect recently indexed data from eviction. You can use this capability
in two ways:
• On a global level (across all indexes), to favor recently indexed data over
recently used data.
• On a per-index level, to favor data in critical indexes over data in
non-critical indexes.
When you configure these settings globally, they override the eviction policy,
which, by default, favors buckets that have been recently searched. For example,
if hotlist_recency_secs is set globally to 604800 (7 days), the cache manager
will attempt to retain buckets with data that is less than seven days old. It will
instead evict older buckets, even if those older buckets were searched more
recently. The cache manager will only evict buckets containing data less than
seven days old if there are no older buckets to evict.
By configuring the recency settings on a per-index level, you can favor data in
critical indexes over data in less critical indexes. Since all SmartStore indexes
share the cache and otherwise follow the global cache eviction policy, the
per-index recency settings provide the only means to retain data from critical
indexes for a longer period than data from less critical indexes.
392
For example, if you have an index with critical data, such as the ES
threat_activity index, and another index whose data is less critical, such as the
default _internal index, you can set hotlist_recency_secs to 5184000 (60
days) for threat_activity, while keeping the default setting of 86400 (1 day) for
_internal. By doing so, you cause the cache manager to favor threat_activity
buckets over _internal buckets, thus reducing the likelihood that the cache will
need to fetch data from the remote store to handle threat_activity searches.
The hotlist_recency_secs setting affects the cache retention period for warm
buckets. The cache manager attempts to defer bucket eviction until the interval
between the bucket's latest time and the current time exceeds this setting. This
setting defaults to 86400 seconds, or 24 hours.
If you do not configure the settings for a particular SmartStore index, that index
inherits the global value from server.conf.
393
Set the maximum download and upload rates
Once a bucket in the index meets the criteria for freezing, the cluster removes
the bucket entirely from the system, both from remote storage and from any local
caches where copies of it exist.
Because SmartStore indexes do not support the cold bucket state, buckets roll to
frozen directly from warm.
For general information on bucket freezing and archiving, see Set a retirement
and archiving policy and Archive indexed data. Most of the material in those
topics is relevant to all indexes, SmartStore or not. The differences are covered
here.
• maxGlobalDataSizeMB
• frozenTimePeriodInSecs
Like all indexes.conf settings, the settings must be the same for all peer nodes
on an index cluster. Use the configuration bundle method to distribute the
settings from the master node to the peer nodes, as described in Update
common peer configurations and apps.
394
These settings, available for non-SmartStore indexes only, have no effect on a
SmartStore index:
• maxTotalDataSizeMB
• maxWarmDBCount
maxGlobalDataSizeMB
The maxGlobalDataSizeMB setting specifies the maximum size, in MB, for all
warm buckets in a SmartStore index on a cluster. When the size of an index's set
of warm buckets exceeds this value, the cluster freezes the oldest buckets, until
the size again falls below this value.
The total size of an index's warm buckets approximates closely the size that the
index occupies in remote storage. Note these aspects of the size calculation:
If the total size that the warm buckets of an index occupy exceeds
maxGlobalDataSizeMB, the oldest bucket in the index is frozen. For example,
assume that maxGlobalDataSizeMB is set to 5000 for an index, and the index's
warm buckets occupy 4800 MB. If a 750 MB hot bucket then rolls to warm, the
index size now exceeds maxGlobalDataSizeMB, triggering bucket freezing. The
cluster freezes the oldest buckets on the index, until the total warm bucket size
falls below maxGlobalDataSizeMB.
You set this value under the stanza for the index to which it applies. To specify
the same value for all indexes, you can set it at the global stanza level. In that
case, however, the value still applies individually to each index. That is, if you set
maxGlobalDataSizeMB at the global stanza level to 5000 MB, then indexA has its
own maximum of 5000 MB, indexB has its own maximum of 5000 MB, and so on.
395
This setting defaults to 0, which means that it does not limit the amount of space
that the warm buckets on an index can occupy.
frozenTimePeriodInSecs
This setting is the same setting used with non-SmartStore indexes. It specifies
that buckets freeze when they reach the configured age. The default value is
188697600 seconds, or approximately 6 years.
For details on this setting, see Freeze data when it grows too old.
1. The master node runs a search every 15 minutes, by default, on all peer
nodes, to identify any buckets that need to be frozen.
The most likely reason for a warm bucket not existing on remote
storage is if the bucket recently rolled from hot to warm.
2. The next steps taken by the bucket's designated peer vary,
depending on whether the cluster peers are configured to archive
frozen buckets before deleting them:
◊ If the cluster peers are configured to archive buckets, the
designated peer fetches the bucket from remote storage if it
is not already in local cache. It then archives the bucket and
removes its local copy.
396
◊ If the peers are configured to remove frozen buckets without
first archiving them, the designated peer does not fetch the
bucket. It simply removes its local copy.
For information on how to configure archiving, see Archive indexed
data.
3. The designated peer removes the bucket from the remote store.
4. The designated peer notifies the master of the remote store
deletion.
5. The master tells each other peer with a local copy of the bucket to
remove its copy.
The term "local bucket copy" means all information about the bucket on the peer.
When a peer removes its local bucket copy during the freezing process, it
removes the bucket's metadata from the index's .bucketManifest file, as well as
any copy of the bucket in its cache. If there is no copy in its cache, then it
removes the empty directory for that bucket.
Thawed data
If you thaw data from an archive, the thawed data is stored locally. You cannot
add thawed data to your set of SmartStore data. Thawed data does not get
uploaded to remote storage and the cache manager does not manage it in any
way. For more information on the thawed bucket state, see Restore archived
indexed data.
397
• You must specify a value for coldPath, even though SmartStore does not
use the coldPath.
• See SmartStore settings in indexes.conf for a list of relevant SmartStore
settings.
For example, assume that you have already set all SmartStore-related
configurations at the global level. Then, to configure a new index called
"cs_index", just add the following stanza to indexes.conf on the peer nodes:
[cs_index]
homePath = $SPLUNK_DB/cs_index/db
thawedPath = $SPLUNK_DB/cs_index/thaweddb
coldPath = $SPLUNK_DB/cs_index/colddb
Troubleshoot SmartStore
SmartStore, in common with other features of Splunk Enterprise, provides a
number of tools that you can use to troubleshoot your deployment:
• Log files
• CLI commands
• REST endpoints
This topic discuss each of these tools in the SmartStore troubleshooting context.
In addition, it covers some common SmartStore issues and their possible
causes.
Several log files can provide insight into the state of SmartStore operations.
398
• CacheManagerHandler. Bucket operations with cache manger REST
endpoint activity.
• S2BucketCache. Search-time bucket management (open, close, and so
on).
• BatchSearch, CursoredSearch, IndexScopedSearch, ISearchOperator.
Search activity related to buckets.
audit.log
metrics.log
splunkd_access.log
• Contains a trail of the search process activity against the cache manger
REST endpoint.
399
Troubleshoot with REST searches
Use the following search to get a list of buckets that are actively being searched:
The ref_count value increments by 1 when the search opens the bucket and
decrements by 1 when the search closes the bucket.
Use the following search to get a list of buckets that have not been uploaded to
the remote store (that is, are not "stable" on the remote store):
Common issues
For more details, examine splunkd.log on the indexer issuing the error.
A disk full related message indicates that the cache manager is unable to evict
sufficient buckets. These are some possible causes:
• Search load overwhelming local storage. For example, the entire cache
might be consumed by buckets opened by at least one search process.
When the search ends, this problem should go away.
400
• Cache manager issues. If the problem persists beyond a search, the
cause could be related to the cache manager. Examine splunkd.log on
the indexer issuing the error.
401
How SmartStore works
• It copies buckets from local to remote storage when the buckets roll from
hot to warm.
• It fetches bucket files from remote storage into the local storage cache
when a search needs the files.
• It evicts files from the local storage cache when they are no longer likely to
be needed for future searches.
When a hot bucket rolls to warm, the cache manager uploads a copy of the
bucket to the remote storage. Once uploaded to remote storage, the bucket is
eligible for eviction from the local cache. This process is described in detail in
How indexing works in SmartStore.
Once a bucket is uploaded to remote storage, the files in it do not change, but a
few files can be added to it later. For example, the cache manager might upload
delete journals, as they are created on the indexer.
The cache manager fetches bucket files from remote storage to fulfill search
requests.
When the cache manager fetches a file from remote storage, it copies the file to
the local cache. The master copy of the file remains on remote storage.
402
The cache manager does not always fetch entire buckets from remote storage.
Instead, it can fetch individual bucket files if the search might not need the entire
bucket. For example, by fetching the bloomfilter file first, the cache manager
can, in some cases, avoid the need to fetch the rest of the bucket. Similarly,
some searches, such as metadata and tstats, do not need the rawdata
journal.gz file. Others, such as dbinspect and eventcount, do not need any
bucket content.
The cache manager attempts to prefetch buckets during a search, so that each
bucket is already local by the time the search is ready to access it. When
prefetching buckets, the cache manager uses a heuristic that adjusts according
to how the bloomfilter and tsidx files in other buckets eliminate results.
Accordingly, the cache manager might prefetch either entire buckets or just
individual files within buckets. For example, during a search, if the search on
several previous buckets did not require the tsidx files, the cache manager does
not prefetch tsidx files as it continues to process additional buckets.
When prefetching, the cache manager notes how long the search process is
taking per bucket, and it prefetches buckets at a speed that allows the search to
continue uninterrupted without the need to wait for a bucket fetch to complete.
The cache manager also adjusts its speed to avoid prefetching an excessive
number of buckets.
The cache manager attempts to minimize the use of local storage by retaining
those buckets and files that have a high likelihood of participating in a future
search and evicting the rest. When the cache manager evicts a bucket, it
removes the copy of that bucket residing on the cache. Because cached buckets
are local copies of buckets whose master copies reside in remote storage, the
eviction process does not result in loss of data.
When a bucket is evicted from the cache, its directory remains in the cache, but
the directory is now empty. The .bucketManifest file for the bucket's index also
retains metadata for the bucket.
The cache manager does not necessarily evict all files in a bucket. It favors
evicting large files, such as the rawdata journal and the tsidx files, while leaving
small files, such as bloomfilter and metadata, in the cache. By doing so, the
cache manager can reduce the need to fetch the large files from remote storage.
For example, inspection of a bucket's bloomfilter file at the start of a search can
sometimes eliminate the need to search the bucket's data, therefore avoiding the
need to fetch the bucket's rawdata journal and tsidx files.
403
The cache manager operates according to a configurable policy. The default
policy is "lru", which tells the cache manager to evict the least recently used
bucket. To learn about the set of eviction policies available, see Set the eviction
policy.
• Hot buckets
• Warm buckets
• Cold buckets
• Hot buckets
• Warm buckets
The hot buckets of SmartStore indexes reside on local storage, just as with
non-SmartStore indexes. Warm buckets reside on remote storage, although
copies of those buckets might also reside temporarily in local storage.
The concept of cold buckets goes away, because the need to distinguish
between warm and cold buckets no longer exists. With non-SmartStore indexes,
the cold bucket state exists as a way to identify older buckets that can be safely
moved to some type of cheaper storage, because buckets are typically searched
less frequently as they age. But with SmartStore indexes, warm buckets are
already on inexpensive storage, so there is no reason to move them to another
type of storage as they age.
404
Cold buckets can, in fact, exist in a SmartStore index, but only under limited
circumstances. Specifically, if you migrate an index from non-SmartStore to
SmartStore, any migrated cold buckets will use the existing cold path as their
cache location, post-migration.
The indexing process is the same with SmartStore and non-SmartStore indexes.
The indexer indexes the incoming data and writes the data to hot buckets in local
storage. In the case of an indexer cluster, the source peer streams the hot bucket
data to target peers to fulfill the replication factor.
When buckets roll to warm, however, the SmartStore process differs from
non-SmartStore.
Starting from the point that a bucket rolls from hot to warm, the indexer handles
SmartStore indexes differently from non-SmartStore indexes.
The rolled bucket does not immediately get removed from the indexer's local
storage. Rather, it remains cached locally until it is evicted in response to the
cache manager's eviction policy. Because searches tend to occur most
frequently across recent data, this process helps to minimize the number of
buckets that need to be retrieved from remote storage to fulfill a search request.
After the cache manager finally does remove the bucket from the indexer's local
storage, the indexer still retains metadata information for that bucket in the
index's .bucketManifest file. In addition, the indexer retains an empty directory
for the bucket.
In the case of an indexer cluster, when a bucket rolls to warm, the source peer
uploads the bucket to remote storage. The source peer continues to retain its
405
bucket copy in local cache until, in due course, the cache manager evicts it.
After successfully uploading the bucket, the source peer sends messages to the
bucket's target peers, notifying them that the bucket has been uploaded to
remote storage. The target peers then evict their local copies of the bucket, so
that the cluster, as a whole, caches only a single copy of the rolled bucket, in the
source peer's local storage.
During the upload process, if the target peers do not hear from the source peer
within five minutes, they query the remote storage to learn whether the bucket
was uploaded. If it wasn't uploaded by the source peer, one of the target peers
then uploads it.
The target peers retain metadata for the bucket, so that the cluster has enough
copies of the bucket, in the form of its metadata, to match the replication factor.
When the source peer's copy of the bucket eventually gets evicted, the source
peer, too, retains the bucket metadata.
In addition to retaining metadata information for the bucket, the source peer
continues to retain the primary designation for the bucket. The peer with primary
designation fetches the bucket from remote storage when the bucket is needed
for a search.
• They occur over near-term data. 97% of searches look back 24 hours or
less.
• They have spatial and temporal locality. If a search finds an event at a
specific time or in a specific log, it's likely that other searches will look for
events within a closely similar time range or in that log.
The cache manager favors recently created buckets and recently accessed
buckets, attempting to ensure that most of the data that a search is likely to need
406
is available in local cache. Similarly, the cache manager tends to evict buckets
that are likely to participate in searches only infrequently.
Most fundamentals of search are the same for SmartStore and non-SmartStore
indexes. An indexer searches buckets in response to a request from a search
head. The process of searching buckets always occurs in local storage. As the
first step in any search, the indexer compiles a list of buckets that it needs to
search across.
To understand how search works on a SmartStore index and how it differs from
search on a non-SmartStore index, it is necessary to differentiate between these
bucket states:
• Hot buckets
• Warm buckets residing in the local cache
• Warm buckets not residing in the local cache
Hot buckets always reside in local storage, whether the bucket is part of a
SmartStore index or a non-SmartStore index. Therefore, searches of hot buckets
work the same in both environments.
When an indexer needs to search a warm bucket for a SmartStore index, it first
"opens" that bucket. Later, when it has finished searching the bucket, it "closes"
it. The designation of "open" and "closed" is necessary for the proper functioning
of the cache eviction process. When a bucket is open, the indexer's cache
manager knows that the bucket is participating in a search and is thus not eligible
for eviction. Once a bucket is closed, it becomes eligible for eviction.
Once the warm bucket is open, the indexer determines whether the bucket
currently resides in the local cache. The next stage of processing depends on
whether the bucket is currently in the cache:
• If the bucket resides in the local cache, the indexer searches it as usual.
After the bucket has been searched and closed, it becomes eligible for
eviction.
• If the bucket does not reside in the local cache, the cache manager must
first fetch a copy of it from remote storage and place it in the local cache.
The indexer then searches the bucket as usual. After the bucket has been
searched and closed, it becomes eligible for eviction.
407
Note: In some cases, the cache manager only fetches certain bucket files, not
the entire bucket. See How the cache manager fetches buckets.
Because the primary designation for a bucket rarely switches between peers,
warm buckets in cache usually reside on the peer with the primary designation
for that bucket. It is unusual for copies of the same warm bucket to reside in
caches on multiple peers, or for the bucket's primary designation to reside on a
peer without a local copy while another peer already has a local copy of that
bucket.
A cluster treats hot buckets in SmartStore indexes the same way that it treats hot
buckets in non-SmartStore indexes. It replicates the hot buckets in local storage
across the replication factor number of peer nodes.
408
When a bucket in a SmartStore index rolls to warm and moves to remote
storage, the remote storage service takes over responsibility for maintaining high
availability of that bucket. The replication factor has no effect on how the remote
storage service achieves that goal.
At the point that the bucket rolls to warm and gets uploaded to remote storage,
the peer nodes no longer attempt to maintain replication factor number of local
copies of the bucket. The peer node that was the source for that bucket
continues to maintain a copy of the bucket in local cache for some period of time,
as determined by the cache eviction policy. The peer nodes that were targets for
that bucket, however, immediately evict their copies from their local caches.
Even when copies of a bucket are no longer stored locally, the replication factor
still controls the metadata that the cluster stores for that bucket. Peer nodes
equal in number to the replication factor maintain metadata information about the
bucket in their .bucketManifest files. Those peer nodes also maintain empty
directories for the bucket, if a copy of the bucket does not currently reside in their
local cache.
For example, if the cluster has a replication factor of 3, three peer nodes continue
to maintain metadata information, along with populated or empty directories, for
each bucket.
By maintaining metadata for each bucket on the replication factor number of peer
nodes, the cluster simplifies the process of fetching the bucket when it is needed,
in the case of any interim peer node failure.
For example, in a cluster with a replication factor of 3, the index loses both hot
and warm data from its non-SmartStore indexes if three or more peer nodes are
simultaneously offline. However, the same cluster can lose any number of peer
nodes, even all of its peer nodes temporarily, and still not lose any SmartStore
warm data, because that data resides on remote storage.
409
Search factor, searchable copies, and primary copies
The search factor has the same effect on hot buckets in SmartStore indexes as it
does on hot buckets in non-SmartStore indexes. That is, the search factor
determines the number of copies of each replicated bucket that include the tsidx
files and are thus searchable.
For SmartStore warm buckets, the search factor has no practical meaning. The
remote storage holds the master copy of each bucket, and that copy always
includes the set of tsidx files, so it is, by definition, searchable. When, in
response to a search request, a peer node's cache manager fetches a copy of a
bucket to the node's local cache, that copy is searchable to the degree that it
needs to be for the specific search. As described in How the cache manager
fetches buckets, the cache manager attempts to download only the bucket files
needed for a particular search. Therefore, in some cases, the cache manager
might not download the tsidx files.
Primary tags work the same with SmartStore indexes as with non-SmartStore
indexes. Each bucket has exactly one peer node with a primary tag for that
bucket. For each search, the peer node with the primary tag for a particular warm
bucket is the one that searches that bucket, first fetching a copy of that bucket
from remote storage when necessary
When a peer node fails, indexer clusters handle bucket fixup for SmartStore
indexes in basically the same way as for non-SmartStore indexes, with a few
differences. For a general discussion of peer node failure and the bucket-fixing
activities that ensue, see What happens when a peer node goes down.
This section covers the differences in bucket fixup that occur with SmartStore.
One advantage of SmartStore is that loss of peer nodes equal to, or in excess of,
the replication factor in number does not result in loss of warm bucket data. In
addition, warm bucket fixup proceeds much faster for SmartStore indexes.
In the case of hot buckets, bucket fixup for SmartStore indexes proceeds the
same way as for non-SmartStore indexes.
In the case of warm buckets, bucket fixup for SmartStore indexes proceeds much
410
more quickly than it does for non-SmartStore indexes. This advantage occurs
because SmartStore bucket fixup requires updates only to the .bucketManifest
files on each peer node, without the need to stream the buckets themselves. In
other words, bucket fixup replicates only bucket metadata.
Each peer node maintains a .bucketManifest file for each of its indexes. The file
contains metadata for each bucket copy that the peer node maintains. When you
replicate a bucket from a source peer to a target peer, the target peer adds
metadata to its .bucketManifest file for that bucket copy.
The buckets themselves are not replicated during SmartStore fixup because the
master copy of each bucket remains present on remote storage and is
downloaded to the peer nodes' local storage only when needed for a search.
During SmartStore replication, the target peer nodes also create an empty
directory for each warm bucket that has metadata in their .bucketManifest files.
For the sake of efficiency, this metadata streaming activity is batched, which
allows the cluster to quickly make large numbers of updates to the
.bucketManifest files.
Fixup when the number of nodes that fail is less than the replication factor
For both SmartStore and non-SmartStore indexes, the cluster can fully recover
its valid and complete states through the fixup process. The fixup process for
SmartStore warm buckets requires only the replication of metadata internal to the
cluster, so it proceeds much more quickly.
Fixup when the number of nodes that fail equals or exceeds the replication
factor
In contrast to non-SmartStore indexes, a cluster can recover all the warm bucket
data for its SmartStore indexes even when the number of failed nodes equals or
exceeds the replication factor. As with non-SmartStore indexes, though, there will
likely be some data loss associated with hot buckets.
The cluster needs to recover only missing warm bucket metadata because the
warm buckets themselves remain present on remote storage.
411
To recover any lost warm bucket metadata, the master node uses its
comprehensive list of all bucket IDs. It compares those IDs with the IDs in the set
of .bucketManifest files on the peer nodes, looking for IDs that are present in its
list but are not present in any .bucketManifest file. For all such bucket IDs, the
master assigns peer nodes to query the remote storage for the information
necessary to populate metadata for those buckets in their .bucketManifest files.
Additional fixup occurs to meet the replication factor requirements for the
metadata and to assign primary tags.
If the master node goes down during this recovery process, the warm bucket
metadata is still recoverable. When the cluster regains a master node, the master
initiates bootstrapping to recover all warm bucket metadata. For information on
bootstrapping, see Bootstrap a SmartStore indexer cluster.
412
Troubleshoot indexers and clusters of
indexers
Caution: It is unlikely that you will need to run fsck manually. This is a good
thing, because to run it manually, you must stop the indexer, and the command
can take several hours to complete if your indexes are large. During that time
your data will be inaccessible. However, if Splunk Support directs you to run it,
the rest of this section tells you how to do so.
To run fsck manually, you must first stop the indexer. Then run fsck against the
affected buckets. To run fsck against buckets in all indexes, use this command:
To rebuild all buckets in just a single index, use this version of the command:
The fsck repair command can take several hours to run, depending on the size
of your indexes If you determine that you only need to rebuild a few buckets, you
can run the rebuild command on just those buckets, as described in the next
section, Rebuild a single bucket.
413
If you just want to diagnose the state of your indexes (without taking any
immediate remedial action), run:
If the index and metadata files in a bucket (version 4.2 and later) somehow get
corrupted, you can rebuild the bucket from the raw data file alone. Use this
command:
You must stop the indexer before running the rebuild command.
Note:
The indexer ignores invalid hot buckets. Data does not get added to such
buckets, and they cannot be searched. Invalid buckets also do not count when
determining bucket limit values such as maxTotalDataSizeMB. This means that
invalid buckets do not negatively affect the flow of data through the system, but it
also means that they can result in disk storage that exceeds the configured
414
maximum value.
It is unusual to need to rebuild the manifest. One situation where you might need
to do so is if you manually copy a bucket into an index.
Only rebuild the manifest if Splunk Support directs you to. Do not rebuild it on
your own.
This command rebuilds the .bucketManifest file for the main index only:
If there are problems with the connection between peer nodes such that a source
peer is unable to replicate a hot bucket to a target peer, the source peer rolls the
hot bucket and start a new hot bucket. If it still has problems connecting with the
target peer, it rolls the new hot bucket, and so on.
415
To prevent a situation from arising where a prolonged failure causes the source
peer to generate a large quantity of small hot buckets, the source peer, after a
configurable number of replication errors to a single target peer, stops rolling hot
buckets in response to the connection problem with that target peer. The default
is three replication errors. The following banner message then appears one or
more times in the master node's dashboard, depending on the number of source
peers encountering errors:
Search peer <search peer> has the following message: Too many streaming
errors to target=<target
peer>. Not rolling hot buckets on further errors to this target. (This
condition might exist with
other targets too. Please check the logs.)
While the network problem persists, there might not be replication factor number
of copies available for the most recent hot buckets.
To adjust the allowable number of replication errors, you can configure the
max_replication_errors attribute in server.conf on the source peer. However, it
is unlikely that you will need to change the attribute from its default of 3, because
replication errors that can be attributed to a single network problem are bunched
together and only count as one error. The "Too many streaming errors" banner
message might still appear, but it can be ignored.
416
grep CMStreamingErrorJob ../var/log/splunk/splunkd.log* | cut -d' '
-f10 | sort |uniq -c | sort -nr
15 failingGuid=B3D35EF4-4BC8-4D69-89F9-3FACEDC3F46E
Unable to disable and re-enable a peer
When you disable an indexer as a peer, any hot buckets that were on the peer at
the time it was disabled are rolled to warm and named using the standalone
bucket convention. If you later re-enable the peer, a problem arises because the
master remembers those buckets as clustered and expects them to be named
according to the clustered bucket convention, but instead they are named using
the convention for standalone buckets. Because of this naming discrepancy, the
peer cannot rejoin the cluster.
To work around this issue, you must clean the buckets or otherwise remove the
standalone buckets on the peer before re-enabling it.
The symptom is a message that the multisite cluster does not meet its replication
or search factors. This message can appear, for example, on the master
dashboard. This condition occurs immediately after bringing up a multisite
cluster.
This condition can occur after you convert a single-site cluster to multisite. If you
configure the cluster as multisite from the very beginning, before you first start it
up, the issue does not occur.
417
your system. An anomalous bucket, for example, can prevent the cluster from
meeting its replication and search factors.
The Bucket Status dashboard lets you identify anomalous buckets. It also allows
you to take actions on those buckets that can often fix them. Specifically, you
can:
Consult with Splunk Support before performing these actions on a bucket. Some
of the actions, performed without full understanding, can lead to further problems
with your system or even to irreversible data loss.
To identify anomalous buckets and to take action on them, use the Bucket Status
dashboard.
You can filter the list of pending buckets by fixup type and by the amount of time
that they have been waiting for fixup. If a bucket has been waiting an unusual
amount of time for fixup, it might be the cause of problems.
For buckets that have been stuck in fixup for long periods of time, you can take
remedial action.
418
Use the following sequence when performing actions on anomalous bucket.
Only perform the next action if the previous one does not resolve the issue.
These details can help to narrow down the cause of the bucket problem and what
action to take to remediate it.
Roll
This action rolls the bucket from the hot state to the warm state. It has an effect
only on hot buckets.
Resync
The master holds information about each copy of a bucket. However, in some
cases, the master can have incorrect information about the copy on a particular
peer. This condition can occur when communication problems arise between the
master and a peer.
Here are some examples of bucket copy state information that can be out of sync
between peer and master:
419
The peer knows the state of its bucket copies, so if the peer and the master have
different state information for a bucket copy, the information on the master is
incorrect.
To resolve this problem, resync the bucket copy's state on the master. When you
resync a bucket, you specify the peer with the copy that you need to resync. The
resync process causes the peer to send the master its current information about
the bucket copy.
Delete Copy
You can delete either a single copy of a bucket on a specific peer, or all copies of
a bucket across the entire cluster.
If deleting a single copy causes the cluster to lose its complete state, the cluster
will engage in fixup activities so that the bucket again meets both the search
factor and the replication factor. This situation might result in another copy of the
bucket appearing on the same peer. If, however, the specified bucket is frozen,
the cluster does not attempt any fixup activities.
Performing the delete action on all copies of a bucket across the cluster results in
irreversible data loss.
By default, the master pushes the bundle to all peers simultaneously. The
max_peers_to_download_bundle setting in server.conf provides a means to limit
the number of peers that receive the bundle simultaneously.
420
received the bundle.
To cancel and reset the bundle push operation, hit the following endpoint on the
master: cluster/master/control/default/cancel_bundle_push.
421
Archive data with Hadoop Data Roll
Setting it up
• By editing indexes.conf
• In Splunk Web
System requirements
Make sure you have access to at least one Hadoop cluster (with data in it) and
the ability to run MapReduce jobs on that data.
Make sure you have Java 1.6 and above. However, we suggest you upgrade to a
version higher than 1.6 for best results.
422
• Apache Hadoop
♦ 0.20
♦ 1.0.2
♦ 1.0.3
♦ 1.0.4
♦ 2.4
♦ 2.6
♦ 2.7
• Cloudera Distribution Including Apache Hadoop
♦4
♦ 4.2
♦ 4.3.0
♦ 4.4 (HA NN and HA JT)
♦ 5.0
♦ 5.3
♦ 5.3 (HA)
♦ 5.4
♦ 5.5
♦ 5.6
• Hortonworks Data Platform (HDP)
♦ 1.3
♦ 2.0
♦ 2.1
♦ 2.2
♦ 2.3
♦ 2.4
• MapR
♦ 2.1
♦ 3.0
♦ 5.0
• Amazon Elastic MapReduce (EMR)
• IBM InfoSphere BigInsights
♦ 5.1
• Pivotal HD
On Hadoop TaskTracker nodes you need a directory on the *nix file system
running your Hadoop nodes that meets the following requirements:
423
What you need on your Hadoop file system
• A subdirectory under the above directory that can be used by this server
for intermediate storage, such as /user/hadoopanalytics/server01/
You can search archived buckets as you normally search, simply include the
archive virtual index in your searches. See Search archived index data for
information about search commands that work with indexes stored in Hadoop.
You can for example, create one search that searches Splunk for:
Search performance
To improve search time when searching archives, you can use dates to limit the
buckets that are searched. The storage path in Splunk Indexer data includes the
earliest time and the latest time of the buckets. So when you search within a
certain time, Splunk is able to use that information to narrow searches to relevant
buckets, rather than searching through the entire archived index.
424
How Hadoop Data Roll works
Once you configure an index as an Archive, a number of processes work to
move aged data into archived indexes:
3. archivebuckets copies the Hadoop Data Roll jars into its own app directory,
then launches distributed searches for each provider for the indexes to be
archived.
4. The information for the index and its provider is fed to the search.
5. For each indexer, Splunk copies the knowledge bundle needed to run the
search.
6. On the indexer, copybuckets launches a Java process, with the same entry
point (the SplunkMR class) used for Splunk Analytics for Hadoop searches.
7. Splunk passes the info about providers and indexes to the Java process using
stdin.
8. When the Java process sends events back to Splunk, it writes them to stdout,
and the custom search command (copybuckets.py) writes them back to the
search process using stdout.
10. The Java process checks all buckets in the designated indexes. If the
buckets are ready to be archived, the process determines whether the buckets
already exist in the archive. It accesses the archive using the provider
information.
11. If the bucket has not yet been archived, the bucket is copied to a temporary
directory at the archive. Once the bucket it is completely copied, and a receipt file
425
added, it is moved to the correct folder in the archive.
12. If the bucket is previously archived, any new data that has reached it's
archived date is copied into that bucket.
process
process name notes
action
search
process on
This is the search activity, including scheduling, that
the Search archivebuckets
occurs on the Search Head
Head/Search
Scheduler
Python
process on
archivebuckets.py
the Search
Head
Search copybuckets
This is all of the Search Activity that occurs in the
process on <JSON describing
Indexer.
an indexer indexes>
Python
process on copybuckets.py
an indexer
Java Virtual Hunk Java code This process ties the other processes together, and
Machine does the following:
process on
an indexer 1. Writes files to HDFS
2. logs information to
$SPLUNK_HOME/var/log/splunk/splunk_archiver.log
426
3. Writes events to stdout, which is piped back to the
Splunk search process | copybuckets <JSON
describing indexes>
The Hadoop Data Roll search framework strings these processes together and
pipes them as follows:
4. The python process on the Search Head copybuckets.py script pipes stdout
of Hadoop Data Roll Java code (Java Virtual Machine process on an indexer) to
stdout to the search process on the indexer copybuckets <JSON describing
indexes>.
At the end of this process, anything that the Hadoop Data Roll Java code (JVM
process on an indexer) writes to stdout becomes events returned from the
search scheduler | archivebuckets.
When Hadoop Data Roll pauses or finalizes a search, this information must be
passed to downstream processes.
For example, if the search process on an indexer shuts down, the search could
kill the child process, which then prevents the indexer Python process from
shutting shut down gracefully. If the Python process is using a shared resource
such as a database connection, or an output stream to HDFS, this could cause
failure and possible loss of data.
427
To resolve this, the search process lets the child process decide what to do
should the search process suspend or shut down. If the search process on an
indexer is paused, it stops reading from its pipe to the Python process on an
indexer. When this happens, the Python process on the indexer can no longer
write to the pipe once the buffer fills up.
The Python process is able to determine that the search process on an indexer
still exists, but is paused.
If the archiving Java process in the indexer finds a broken pipe to the indexer
search process, it logs that information, but continues to finish archiving until the
buffer is full. if this is not desired, simply kill the Java process.
• The host name and port for the NameNode of the Hadoop cluster.
• The host name and port for the JobTracker of the Hadoop cluster.
• Installation directories of Hadoop command line libraries and Java
installation.
• Path to a writable directory on the DataNode/TaskTracker *nix filesystem,
the one for which the Hadoop user account has read and write permission.
• Path to a writable directory in HDFS that can be used exclusively by
Splunk on this search head.
Add a provider
2. Select the Providers tab and click New Provider or the name of the provider
you want to edit.
428
3. The Add New/Edit Provider page, give your provider a Name.
4. Select the Provider Family in the drop down list (note that this field cannot be
edited).
• HDFS working directory: This is a path in HDFS (or whatever the default
file system is) that you want to use as a working directory.
• Job queue: This is job queue where you want the MapReduce jobs for
this provider to be submitted to.
8. Click Add Secure Cluster to configure security for the cluster and provide
your Kerberos Server configuration.
Note: If you are configuring Splunk Analytics for Hadoop to work with YARN, you
must add new settings. See "Required configuration variables for YARN" in this
manual.
9. Click Save.
429
Configure Splunk index archiving to Hadoop using
the configuration files
Before you begin, note the following:
Use the following attribute to specify how many bundles may accrue before
Splunk Enterprise deletes them:
vix.splunk.setup.bundle.reap.limit = 5
The default value is 5, which means that when there are more than five bundles,
Splunk Enterprise will delete the oldest one.
[splunk_index_archive]
vix.output.buckets.from.indexes
vix.output.buckets.older.than
vix.output.buckets.path
vix.provider
Where:
430
• vix.output.buckets.from.indexes is the exact name of the Splunk index
you want to copy into an archive. For example: "splunk_index." You can
list multiple Splunk indexes separated by commas.
You can set bandwidth throttling to limit the transfer rate of your archives.
You set throttling for a provider, that limit is then applied across all archives
assigned to that provider. To configure throttling, add the following attribute under
the virtual index provider stanza you want to throttle.
431
• You must configure a Hadoop provider.
• Splunk must be installed using the same user for all indexers and Splunk
Enterprise instances. This is the user which connects to HDFS for
archiving and the user and user permissions must be consistent.
• The data in the referring Index must be in warm, cold, or frozen buckets
only.
• The Hadoop client libraries must be in the same location on each indexer.
Likewise, the Java Runtime Environment must be installed in the same
location on each indexer. See System and software requirements for
updated information about the required versions.
• The Splunk user associated with the Splunk indexer must have permission
to write to the HDFS node.
• Splunk cannot currently archive buckets with raw data larger than 5GB to
S3. You can configure your Splunk Enterprise bucket sizes in
indexes.conf. See Archiving Splunk indexes to S3 in this manual for
known issues when archiving to S3.
1. Navigate to Settings > Virtual Indexes and select the Archived Indexes tab.
You can edit any existing archived index by clicking the arrow to its left.
3. Type the names of the indexes you want to archive. You can add multiple
indexes. Indexes that are already archived are disabled in the drop down list.
4. Provide a suffix for the new archive indexes. For example, if you select the
"_archive" suffix, the new archived index will be "indexname_archive".
5. Select the Hadoop Provider that the new archived indexes will be assigned to.
Note you can determine the bandwidth by provider that these archives can use.
See "Set bandwidth limits for archiving" in this topic.
6. For Destination path in HDFS, provide the path to the working directory your
provider should use for this data. For example:
/user/root/archive/splunk_index_archive. If you are copying data to S3, prefix
this path with: s3n://<s3-bucket>/
7. Determine the age of the data that is copied to the archived index. For
example, if you select "5 Days," data is copied from the warm, cold, or frozen
bucket in the indexer to the archive bucket when it is five days old. Note: Splunk
432
deletes data after a period of time defined in your indexer settings, so make sure
that this field is set to copy the buckets before they are deleted.
If you have concerns about the bandwidth required for consistent archiving, you
can set bandwidth throttling. When you set throttling for a provider, the limit you
set for your provider is then applied across all indexes assigned to that provider.
1. In the Archived Indexes tab, click on Max bandwidth (Provider) for the index
you want to edit. This opens the Edit Provider page for that index.
3. Enter the maximum bandwidth you want to allow for all archived indexes
associated with the provider.
4. Click Save.
vix.env.HADOOP_HOME: /absolute/path/to/apache/hadoop-2.6.0
vix.fs.s3a.access.key: <AWS access key>
vix.fs.s3a.secret.key: <AWS secret key>
vix.env.HADOOP_TOOLS: $HADOOP_HOME/share/hadoop/tools/lib
vix.splunk.jars:
433
$HADOOP_TOOLS/hadoop-aws-2.6.0.jar,$HADOOP_TOOLS/aws-java-sdk-1.7.4.jar,$HADOOP_TOOLS/ja
2. Using the above configuration, now create an archive index with path prefixed
with s3a://:
s3a://bucket/path/to/archive
In this example,
• s3a is the implementation Hadoop will use to transfer and read files from
the supplied path
• bucket is the name of your S3 bucket
• /path/to/archive are directories within the bucket
If you're just using a search head to search your archives, then set the provider's
vix.mode attribute to stream:
vix.mode = stream
When vix.mode is set to stream, Splunk Enterprise streams all the data the
search matches to the search head, and will not spawn MapReduce jobs on
Hadoop.
If the Hadoop version for search head archive indexes is compatible with your
Hadoop cluster, no additional configuration is necessary to search your archive
indexes. Just go to the Splunk Web search bar and enter:
index=<your-archive-index-name>
The search head will spawn Hadoop MapReduce jobs against your archive when
it's appropriate to do so.
If your Hadoop cluster version is not compatible with your Hadoop Home
version
434
You can still use Data Roll if your Hadoop cluster is not compatible with your
Hadoop client libraries (that have the S3a filesystem). An example of this is if you
are using Apache Hadoop 2.6.0 for archiving, but you are using Hadoop 1.2.0 for
your Hadoop cluster. To do this, use the older S3n filesystem to search your
archives.
2. For every archive index, configure indexes.conf from your terminal and add a
new virtual index with these properties:
[<virtual_index_name_of_your_choosing>]
vix.output.buckets.path =
<archive_index_destination_path_with_s3n_instead_of_s3a>
vix.provider = <hadoop_cluster_provider>
3. Make sure the vix.output.buckets.path is S3n so that Splunk Enterprise can
search using the older filesystem to search your archives..
[main_archive_search] vix.output.buckets.path =
s3n://my-bucket/archive_root/main_archive vix.provider = hadoop_cluster
When using Hadoop's S3N filesystem, you're limited to uploading files that are
less than 5GB. While it's rare, it's possible that Splunk buckets become larger
than 5GB. These buckets would not get archived when using the S3N filesystem.
If you use the S3N filesystem, configure your indexes to roll buckets from hot to
warm at a size less than 5 GB via the maxDataSize attribute in indexes.conf.
435
blog about faster and limitless archiving with S3A</a>.
Because of how Hadoop interacts with the S3 file system, Splunk Enterprise
cannot currently archive buckets with raw data sets larger than 5GB to S3.
When archiving to S3, data is copied twice. This is because S3 does not support
file renaming and the FileSystem implements file rename as follows:
For the most part, you can create reports for virtual indexes much as you would
for local indexes. For more information about creating reports, see the Splunk
Enterprise Search Manual.
436
Since events are not sorted, any search command which depends on implicit
time order will not work exactly the way you'd expect. (For example: head, delta,
or transaction.) This means that a few search commands operate differently
when used on virtual indexes, mostly because of the way Hadoop reports
timestamps.
You can still use these commands, and may particularly want to when creating a
single report for local and virtual indexes, but you should be aware of how they
operate and return data differently.
Search language
For the most part, you can use Splunk Enterprise search language to create your
reports. However, because Hadoop does not support strict requirements on the
order of events, there are a few differences.
The following commands are not supported when the search includes an
archived index:
• transactions
• localize
The following commands work on archived indexes, but their results may differ
from Splunk. This is because in Hadoop, descending time order of events is not
guaranteed:
• streamstats
• head
• delta
• tail
• reverse
• eventstats
• dedup (Since the command cannot distinguish order within an HDFS
directory to pick the item to remove, Splunk Analytics for Hadoop will
choose the item to remove based on modified time, or file order.)
Distributable search commands are the most effective commands Hadoop Data
Roll reports because they can be distributed to search peers and archive
indexes. Generally, non-distributable commands only work on local indexes and
are not as effective on archived indexes.
437
You can create searches across different index types that use both distributable
and non-distributable commands as long as you keep in mind that these such a
search returns all data from the local indexes but limited data from the virtual
indexes.
• INDEXED_EXTRACTIONS
• HEADER_FIELD_LINE_NUMBER
• PREAMBLE_REGEX
• FIELD_HEADER_REGEX
• FIELD_DELIMITER
• FIELD_QUOTE
• HEADER_FIELD_DELIMITER
• HEADER_FIELD_QUOTE
• TIMESTAMP_FIELDS = field1,field2,...,fieldn
• FIELD_NAMES
• MISSING_VALUE_REGEX
Once you configure an index to archive data, the archiving of indexes runs on a
schedule that is determined globally on the Splunk search head.
When both processes occur, a disconnect can occur between the indexer's local
processes and the archiving process. As a result, the indexers can delete a
bucket before it's been archived.
To avoid buckets from being deleted you can use the the splunk_archiver app
coldToFrozen.sh script on the local indexer process. This script shifts the
responsibility for deleting buckets from the indexer to Hadoop Data Roll, so only
use this script for indexes that are being archived.
438
Consider the coldToFrozen.sh script as a fallback and not your primary hook for
archiving. This script buys you more time when either your system is receiving
data faster than normal, or when the archiving storage layer is down, so that
you'll have more time to archive a given bucket. To facilitate this further, for each
archive index you can set your vix.output.buckets.older.than = seconds as
low as possible, so that buckets are archived as quickly as possible.
• The script must be installed on each stanza which configures an index that
is being archived.
• All the search peers to the search head must have the script installed. You
can do each peer manually or use the deployer for search head clusters.
• The script must be removed from any index for which you disable
archiving. Otherwise, the script will continue to run and the data will overfill
your existing disk space because there is no archive to receive that data
(and thus it will not get deleted).
• Do not add this script to any indexers that are not configured to archive
data.
[<index name>]
coldToFrozenScript =
"$SPLUNK_HOME/etc/apps/splunk_archiver/bin/coldToFrozen.sh"
Data archiving is performed from the Indexers. However, all the archiving setup
is done from the Search Head. Permissions issues between the search head and
indexer will prevent archiving.
For example, if the indexer permissions are not identical to the search head you
might see this exception:
439
java.io.IOException: Login failure for null from keytab
/etc/security/keytabs/splun.keytab:
javax.security.auth.login.LoginException: Unable to obtain password
from user
You can test persmissions by copying files from the Indexers as the Splunk user
to HDFS: hadoop fs -put somefile /user/splunk/archive
Check the following to make sure the Splunk user is configured consistently with
the HDFS permissions:
Trap all archiving errors in a generic way and then raise an alert
To open the archiving dashboard for debugging, access: Settings > Virtual Index
> Archived Indexes > View Dashboards
440