Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fronting indexer with load balancer for HA in distributed search scenario?

brettw10
Explorer
‎04-17-2012 08:55 PM

Hi,

I have 2 sites that both contain the same full set of syslog log files. I am currently looking to ingest the logfiles at both sites, using the other site to fail over to in the event of an indexer going down - a load balancer (F5 LTM) would take care of this for me. Each site will also have some local indexers that ingest information that is only relevant to that site. The search head at each site would be configured for distributed search, pointing at the indexers containing site-relevant data and at a virtual server on the load balancer, which is configured with a pool containing the local and remote syslog indexers (local site preferred).

Is it possible to front an indexer with a load balancer for high availability in a distributed search scenario, and if so, what caveats, if any, exist? What about any certificate exchange between the search head and indexer(s)?

Regards,
Brett.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-17-2012 09:47 PM

You can do this just fine. The connection is a standard https connection. Each indexer must be configured independently to accept search requests from the search head.

0 Karma
Reply

brettw10
Explorer
‎04-17-2012 10:18 PM

Hey gkanapathy,

Thanks for the response.I guess that I have two options for the server-side SSL connection then:

1.Import the load balancer's default key into the indexer as the trusted key; or
2.Load the search head's key into the load balancer (server side SSL config) and the indexer, so that the LB can present this to the indexer on behalf of the search head.

Which approach would be considered "best practice"?

Rgds,
Brett.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...