Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to switch between active/inactive forwarders when you have a cluster?

geantver0000
Engager
‎09-14-2017 01:48 AM

Hi,

When you have a Splunk forwarder on a server using Cluster (Active/Inactive), what can you do to Stop the Splunk forwarder on the server that is Inactive, and Start the forwarder on the Active when it is needed ?
I don't want to have duplicate data ...

Regards,

Steve

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2017 05:26 AM

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎09-15-2017 08:28 AM

@maciep spoke about in at Is there a way to configure high availability for Splunk Forwarders, so if one is down, another will...

He concluded by saying -

-- In general though, we don't worry much about HA for forwarders. We have monitoring in place to start splunk if it stops and we get a daily report (from the Deployment Monitor app) of forwarders that haven't checked in to our deployment server. So typically we can address stopped forwarders before the data rolls.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2017 05:26 AM

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

geantver0000
Engager
‎09-15-2017 05:18 AM

Hi Giuseppe,

For the moment , I have installed the forwarder on the actif, but I want also to do that on the Inactif.
And i know that I will receive data from both on Splunk .... so Duplicate data ...
Is there something to avoid this situation ?

Regards,
Steve

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2017 02:12 AM

Hi geantver0000,
if your target servers are Active/Passive, logs are written on only one of them at a time not in both the servers so you'll receive only one log, if you have both the forwarders active you'll continue to receive logs also after switching.
There could be a problem with Active/Active and clustered servers with replications of logs.
What's your situation?
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...