Re: Deployment Client Sending Logs to Backup Log C...

daniaabujuma · ‎07-06-2023

Hello,

I have a question regarding forwarding and receiving in Splunk. Can I configure the deployment client to send logs to another log collector in case the first one is not responding or receiving logs? To be more specific, is there any kind of configuration that can be done so the deployment client will automatically switch to another log collector if the first one isn't available?

Thank you.

isoutamo · ‎07-06-2023

Hi

You are using "weird" terminology for Splunk. So I made some assumptions for those 😉

Deployment Client is usually called UF / forwarder.
Log Collector is indexer / search peer

You could add several indexer on outputs.conf and then UF can use all of those. But there is no automatic process how it can normally send to one indexer and if it's down then switch to another and go back when 1st will be back in the business.

When you have configured only one indexer in outputs.conf then if it's down then UF just stop sending data to it and wait until it will be back.

If/when you want to HA solution for receiving logs you should setup multiple individual indexers or even better to set up indexer cluster. See more about https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutclusters

My personal opinion is that when you are setting up distributed environment, you should always set up also indexer cluster. If you have only few GBs per day ingested events, you could set up "single node cluster" and when your indexing amount will increase then it's really easy just to add additional nodes to that cluster.

r. Ismo

Deployment Client Sending Logs to Backup Log Collector

deployment client

deployment server

forwarder management

heavy forwarder

universal forwarder

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio