Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fronting indexer with load balancer for HA in distributed search scenario?

brettw10
Explorer
‎04-17-2012 08:55 PM

Hi,

I have 2 sites that both contain the same full set of syslog log files. I am currently looking to ingest the logfiles at both sites, using the other site to fail over to in the event of an indexer going down - a load balancer (F5 LTM) would take care of this for me. Each site will also have some local indexers that ingest information that is only relevant to that site. The search head at each site would be configured for distributed search, pointing at the indexers containing site-relevant data and at a virtual server on the load balancer, which is configured with a pool containing the local and remote syslog indexers (local site preferred).

Is it possible to front an indexer with a load balancer for high availability in a distributed search scenario, and if so, what caveats, if any, exist? What about any certificate exchange between the search head and indexer(s)?

Regards,
Brett.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-17-2012 09:47 PM

You can do this just fine. The connection is a standard https connection. Each indexer must be configured independently to accept search requests from the search head.

0 Karma
Reply

brettw10
Explorer
‎04-17-2012 10:18 PM

Hey gkanapathy,

Thanks for the response.I guess that I have two options for the server-side SSL connection then:

1.Import the load balancer's default key into the indexer as the trusted key; or
2.Load the search head's key into the load balancer (server side SSL config) and the indexer, so that the LB can present this to the indexer on behalf of the search head.

Which approach would be considered "best practice"?

Rgds,
Brett.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...