Deployment Architecture

How to switch between active/inactive forwarders when you have a cluster?

geantver0000
Engager

Hi,

When you have a Splunk forwarder on a server using Cluster (Active/Inactive), what can you do to Stop the Splunk forwarder on the server that is Inactive, and Start the forwarder on the Active when it is needed ?
I don't want to have duplicate data ...

Regards,

Steve

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

View solution in original post

0 Karma

ddrillic
Ultra Champion

@maciep spoke about in at Is there a way to configure high availability for Splunk Forwarders, so if one is down, another will...

He concluded by saying -

-- In general though, we don't worry much about HA for forwarders. We have monitoring in place to start splunk if it stops and we get a daily report (from the Deployment Monitor app) of forwarders that haven't checked in to our deployment server. So typically we can address stopped forwarders before the data rolls.

0 Karma

gcusello
SplunkTrust
SplunkTrust

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

0 Karma

geantver0000
Engager

Hi Giuseppe,

For the moment , I have installed the forwarder on the actif, but I want also to do that on the Inactif.
And i know that I will receive data from both on Splunk .... so Duplicate data ...
Is there something to avoid this situation ?

Regards,
Steve

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi geantver0000,
if your target servers are Active/Passive, logs are written on only one of them at a time not in both the servers so you'll receive only one log, if you have both the forwarders active you'll continue to receive logs also after switching.
There could be a problem with Active/Active and clustered servers with replications of logs.
What's your situation?
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...