All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Will I get duplicate events if I have Multiple Heavy Forwarders (HF) having same inputs set up?

vrmandadi
Builder
‎01-28-2020 10:21 AM

We have splunk add-on for aws installed on one of the hf .Can we install the same add-on other HF and create the same inputsso that when one of the hf is down and the other sends data. Is this possible ? or any other work around for this?

Thanks in Advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-28-2020 11:10 AM

Don't do this.

Yes you would end up with duplicate events.

A better solution is to install multiple HFs with a different selection of inputs on each. (Depending on your AWS footprint, maybe you configure all inputs for a single region on each HF?)

This won't give you fault tolerance if a single HF fails, but it will reduce the amount of disruption as you would still collect data from the surviving HFs.

The AWS TA is a heavyweight app particularly if you collect all AWS data sources for a large number of resources.
Spreading the load across a pool of HFs like this can stop any single HF getting too bogged down.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-28-2020 11:10 AM

Don't do this.

Yes you would end up with duplicate events.

A better solution is to install multiple HFs with a different selection of inputs on each. (Depending on your AWS footprint, maybe you configure all inputs for a single region on each HF?)

This won't give you fault tolerance if a single HF fails, but it will reduce the amount of disruption as you would still collect data from the surviving HFs.

The AWS TA is a heavyweight app particularly if you collect all AWS data sources for a large number of resources.
Spreading the load across a pool of HFs like this can stop any single HF getting too bogged down.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

vrmandadi
Builder
‎01-29-2020 07:57 AM

Thank you for your explanation

0 Karma
Reply
Solved! Jump to solution

dindu
Contributor
‎01-28-2020 10:29 AM

Hi,

You need to go with load balancing to address HF failovers.
The below documentation will help.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setuploadbalancingd

https://docs.splunk.com/Documentation/Forwarder/8.0.1/Forwarder/Configureloadbalancing

0 Karma
Reply
Solved! Jump to solution

vrmandadi
Builder
‎01-28-2020 11:09 AM

@dindu thank you for your reply .But creating two same inputs on both HF does create duplicate events right?

0 Karma
Reply
Solved! Jump to solution

dindu
Contributor
‎01-28-2020 11:37 AM

Hi,

Yes - the Splunk indexer will treat each input as different and index the same data.

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...