All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple HF for one Event Hub | Splunk Add-on for Microsoft Cloud Services

GaetanVP
Contributor
‎11-29-2022 01:18 AM

Hello Splunkers,

I configured my HF to pull data from an Event Hub, all good I'm receiving logs, but to much (around 130Gb/Day) and my HF often has some trouble to parse and forward the logs during "the peak of data".

I wanted to use an additional HF in order to "share" the work but I do not know how to proceed. If I configured the Add-On on this new HF the same way I did for the first, I will just end up with duplicated data...

Would you have any idea ?  

Thanks,
GaetanVP

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2022 01:51 AM

Hi @GaetanVP,

you have two solutions:

  • the one hinted by @isoutamo of using two HFs, each one with different Data Sources;
  • give more resources to your HF to be sure that it's able to manage all the Data.

They are both efficient:

  • the first has the advantage that you have also two network interfaces to use;
  • the second it's easier to implement if you are using a virtual HF.

I'd use the second monitoring if the network connection is able to accept the traffic, if yes, you solved the issue, if not, you can add a second HF.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2022 01:51 AM

Hi @GaetanVP,

you have two solutions:

  • the one hinted by @isoutamo of using two HFs, each one with different Data Sources;
  • give more resources to your HF to be sure that it's able to manage all the Data.

They are both efficient:

  • the first has the advantage that you have also two network interfaces to use;
  • the second it's easier to implement if you are using a virtual HF.

I'd use the second monitoring if the network connection is able to accept the traffic, if yes, you solved the issue, if not, you can add a second HF.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

GaetanVP
Contributor
‎11-29-2022 06:07 AM

Hello @gcusello thanks for your answer, it makes sense.

However do we agree that both solution will still represent a single point of failure. If the HF (or one of the two HF) go down, I will miss all logs (or at least some of them).

Thanks,
GaetanVP

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2022 07:04 AM

Hi @GaetanVP,

it should be a Single Point of Failure if you use the HF to receive data, but you are using this HF to pull data from Cloud, so it isn't mandatory to be redundant.

You could also have a cold copy of it ready to be turned on.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-29-2022 10:47 AM

Currently the issue with HA HF is replicate checkpoints to avoid duplicate data. As far as I know currently there is no official way to replicate checkpoints with several HFs. Of course you could use some synchronization method between master and secondary nodes to prepare failure situation, but quite probably you will get at least some events duplicated when failover happens. 

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-29-2022 01:38 AM

Hi

 haven't try this by myself, but can you use several consumer groups and then configure each HF to pull only one or some of those? https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-features

r. Ismo

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...