Deployment Architecture

How to achieve The High availability and Disaster recovery architecture in Splunk distributed environment.

Gk7
Engager

Do we have any facility in the Splunk that we can achieve the High availability or Disaster recovery features in the Splunk. if yes, please share the documents for this. 

Your response will be appreciated.!!!

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Splunk has features that increase availability, but I would not call it an HA product.  Those features are:

1) Multi-site indexer cluster.  See https://docs.splunk.com/Documentation/Splunk/9.0.5/Indexer/Multisitearchitecture

2) Search head clustering.  See https://docs.splunk.com/Documentation/Splunk/9.0.5/DistSearch/SHCarchitecture

3) Indexer cluster manager redundancy.  See http://docs.splunk.com/Documentation/Splunk/9.0.5/Indexer/CMredundancy

See the Splunk Validated Architectures document (https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf), specifically architecture M4/M14.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Splunk has features that increase availability, but I would not call it an HA product.  Those features are:

1) Multi-site indexer cluster.  See https://docs.splunk.com/Documentation/Splunk/9.0.5/Indexer/Multisitearchitecture

2) Search head clustering.  See https://docs.splunk.com/Documentation/Splunk/9.0.5/DistSearch/SHCarchitecture

3) Indexer cluster manager redundancy.  See http://docs.splunk.com/Documentation/Splunk/9.0.5/Indexer/CMredundancy

See the Splunk Validated Architectures document (https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf), specifically architecture M4/M14.

---
If this reply helps you, Karma would be appreciated.

sonishar
Explorer

How can we do  High availability for Heavy Forwarders and SC4S

0 Karma

PickleRick
SplunkTrust
SplunkTrust

With HF - it can be complicated because the problem here typically would be not to have multiple instances but to _not_ have multiple input instances running at the same time and you'd need to replicate the state of the inputs in case of a need for fail-over. There is nothing out-of-the-box to do it. You can to devise something with zip ties and duct tape but those solutions typically have some issues specific to chosen architecture.

Of course if you're not running any scripted/modular inputs and only have HFs as a "parsing layer" in front of indexes, there is no problem with having multiple HFs receiving data from UFs.

With SC4S there is no problem with running multiple instances. The problem is that you want the sources to send only to one of them. You can try to do some tricks with "floating IP" either on the hosts themselves using keepalived or something similar or on the router using some form of network-level load-balancing but it doesn't give you 100% guarantee of no data loss during the switchover period. It's just how the syslog works.

0 Karma

Gk7
Engager

Ya done now. 

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

As @richgalloway already pointed you could do some kind of HA system with splunk. Indexing tier is real HA with multi site cluster, but SH tier didn’t. With SHC you could get better availability, but you should remember that it’s not designed as a HA!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Hmm. That's interesting.

I don't want to challenge your opinion. I'm just curious as to why you both don't treat SHC as a highly-available solution. I'd say it ticks all the boxes.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...