Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data lost - splunk reload deploy-server

rlaan
Path Finder
‎04-01-2021 12:05 PM

I noticed that when pushing configuration changed from the deployment-servers to addition compoents (U-forwarders, H-forwarders, indexers, search heads) via the "splunk reload deploy-server" command that there were small 20-25 sec periods of missing data ingest.

I was under the impression that after these configuration pushes that splunk would catch-up or re-index  the data during the change. It appears that this is not the case after having to explain some missing data gaps. 

How can i push configuration changes without causing a loss of data ingest (working with busy access_combined/apache access logs so a few hundred events are missed during a 20 second window) 

Additionally, i have the full log files, is there a way to only re-index non-repeat events, i feel trying to delete the existing logs via splunk search and re-indexing with a "oneshot" method would be very time consuming over many servers.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2021 06:01 AM

It sounds like your Splunk architecture could use some improvements.  While it can be done, it's not typical (or recommended) to use the DS to manage all instance types.  The DS is designed to manage forwarders.

The search heads probably should be in a cluster and managed by a SHC Deployer.

More importantly, however, the indexers should be clustered and managed by a Manager Node (MN).  The MN will push apps to the indexers and contol when they restart to ensure at least one is available to receive data at all times.

Make sure all forwarders have the names (or IP addresses) of all indexers.  That way the forwarder can send data to another indexer if one is unavailable.  Consider using the Indexer Discovery feature where the forwarders get the list of indexers from the MN.  That will avoid having to update the forwarders when an indexer is added or removed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rlaan
Path Finder
‎04-05-2021 08:19 AM

Thank you for the suggestion, I will have to do some reading into these components and how to configure them, I currently do not have clustered search heads or indexers replicating the data so i did not think they were required.  It provides me with a direction to investigate, thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...