Splunk 6.5 Under the Hood: Clustering Enhancements
Intro
By now I’m sure you’ve heard about the release of Splunk Enterprise 6.5. Those of you who were at .conf 2016 got to see many of the new features during the keynotes, in sessions, and at the various booths.
Splunk Enterprise 6.5 brings lots of great enhancements related to user experience such as table datasets, conditional table formatting, dashboard editing, and enhanced search/SPL assistance. For those of you who have not had a chance to see some of the new features yet, I encourage you to check out this short video: What's New In Splunk Cloud & Splunk Enterprise 6.5
As a Splunk consultant and administrator of large distributed deployments, I was looking forward to seeing the “under the hood” enhancements. Splunk 6.5 does not disappoint with several great administrative features related to managing an indexer cluster. In this blog I will highlight a few of the bigger features.
Indexer Clustering: Rebalance
This feature allows an administrator to rebalance indexed data across all available indexers, achieving even data distribution and more optimal utilization of available physical resources. The way that this is achieved is by redistributing buckets, rounded to a specified threshold, until the total number of buckets on all peers is balanced. All buckets on each peer, including searchable, primary, and non-searchable buckets are balanced.
Some other things to note are that this is both site aware and index aware. This means that it rebalances data over multi-site clusters and is done on a per-index basis.
Now why is this such a great feature? Most Splunk larger deployments scale over time as data ingestion levels grow. This often leads to an imbalance of data across the cluster and causing higher resource utilization levels on the older peers in the cluster. Also, with multi-site clustering, sometimes we see that networks have firewall rules that limit large amounts of forwarders to send to one site. This can cause an imbalance in the primary buckets between the two sites. The cluster rebalance feature will now allow us to easily and routinely address both of these issues.
Indexer Clustering: Management
With 6.5 there are also several new administrative enhancements and features pertaining to managing an indexer cluster. Many of these new features can be controlled through the UI on the Cluster Master.
One enhancement is that when a peer is placed in manual detention, the detention will persist across restarts. Of course this will be useful whenever maintenance needs to be performed on individual indexers.
There is also now an option, via the UI, to validate cluster bundles prior to deploying them across the cluster. This will provide admins with an additional check of all configuration changes being pushed out to the indexers.
The UI also now provides additional details and options for buckets that have issues meeting their search or replication factors. These UI options, which were previously only available via the REST api, include the ability to roll, resync, and delete buckets. This gives great flexibility and control to an administrator when they need to fix issues related to specific buckets of their data.
In conclusion, I hope you have seen the potential benefits of some of these new clustering features in Splunk Enterprise 6.5. Please reach out to Function1 if you need any assistance with your upgrade to 6.5!
* Title Image Credit: http://www.theventureonline.com/wp-content/uploads/2011/11/FocusElectric...
* Image Credits: Splunk Enterprise 6.5 Overview - https://splunkbase.splunk.com/app/3287/
- Log in to post comments
Function1, Inc. Copyright 2024. All Rights Reserved 