A Splunk indexer cluster offers benefits such as high availability, simplified scaling and disaster recovery. The following figure shows the Splunk Enterprise clustered infrastructure deployment - Single Site (C1/C11) with single search head, one cluster master and two indexer peers:

Figure 5.              Splunk Enterprise clustered infrastructure for 50 GB/day data indexing volume with 30-day hot/warm retention

Search head to search the data in the cluster.

Cluster Master or Master node manages the indexing tiering and is responsible for coordination and enforcement of the configured data replication policy. The same cluster master has been configured as license master.

Indexer peer nodes perform the indexing of ingested data.

Replication factor defines the number of copies of raw data that the Splunk cluster maintains. For more details, see Splunk replication factor.

Search factor defines how many searchable copies of the indexed data needs to be maintained. For more details, see Splunk search factor.

In addition, one universal forwarder (UF) was configured to send the log data to the cluster.

Note: Splunk recommended (and default) replication factor is 3, while a replication factor of 2 provides minimal protection against a single indexer node failure.