Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure Load Balancing on Splunk Search Heads?

agentsofshield
Path Finder
‎07-02-2018 12:05 AM

Hi! So I set up a F5 Load Balancer and listed all of my Splunk search heads as pool members.

Apparently the load balancer performs a health check, and therefore, requires a health monitor URI and a health monitor response!

So I'm consulting you guys, which URI and response should I use? It's just a simple request and response to check if my search head is up. With the default configurations my server is considered down, of course.

I have no experience with load balancers so please be gentle.

Reply

jkat54
SplunkTrust
SplunkTrust
‎07-30-2019 08:25 AM

I recommend monitoring the Splunkd port of 8089 (tls), because when it isnt responding it might still accept requests on the web port, but not be able to service them.

0 Karma
Reply

codebuilder
Influencer
‎04-29-2019 11:03 AM

This is older but looks like it never got a solid answer. The easiest solution is to perform a simple port check.

I don't use F5, but the haproxy equivalent is such:

balance source
server shca101 :8000 weight 1 maxconn 2000 check port 8000 ssl verify none
server shca102 :8000 weight 1 maxconn 2000 check port 8000 ssl verify none
server shca103 :8000 weight 1 maxconn 2000 check port 8000 ssl verify none

Before sending traffic to any of the search heads the load balancer verifies that port 8000 is active. Assuming your web UI is using the default port 8000 of course.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

joesrepsolc
Communicator
‎01-29-2019 09:58 AM

Struggling with this same scenario... and still have no solid answer. Anyone have more info?

Thanks.

Joe

0 Karma
Reply

renjith_nair
Legend
‎07-02-2018 02:08 AM

Hi @agentsofshield ,

The simplest method is to configure an http monitor to check the service.

Select http as the health monitor and set GET /\r\n as your send string in properties. This is very basic check but should work

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

agentsofshield
Path Finder
‎07-02-2018 03:04 AM

I don't have a send string, I can only fill out a URI and a response.

The team in charge of servers / load balancers has a system so I have little control over it.

0 Karma
Reply

renjith_nair
Legend
‎07-02-2018 03:40 AM

Ok. In URI you could mention / which is the root context and in response you can leave blank.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...