Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to switch between active/inactive forwarders when you have a cluster?

geantver0000
Engager
‎09-14-2017 01:48 AM

Hi,

When you have a Splunk forwarder on a server using Cluster (Active/Inactive), what can you do to Stop the Splunk forwarder on the server that is Inactive, and Start the forwarder on the Active when it is needed ?
I don't want to have duplicate data ...

Regards,

Steve

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2017 05:26 AM

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎09-15-2017 08:28 AM

@maciep spoke about in at Is there a way to configure high availability for Splunk Forwarders, so if one is down, another will...

He concluded by saying -

-- In general though, we don't worry much about HA for forwarders. We have monitoring in place to start splunk if it stops and we get a daily report (from the Deployment Monitor app) of forwarders that haven't checked in to our deployment server. So typically we can address stopped forwarders before the data rolls.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-15-2017 05:26 AM

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

geantver0000
Engager
‎09-15-2017 05:18 AM

Hi Giuseppe,

For the moment , I have installed the forwarder on the actif, but I want also to do that on the Inactif.
And i know that I will receive data from both on Splunk .... so Duplicate data ...
Is there something to avoid this situation ?

Regards,
Steve

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-14-2017 02:12 AM

Hi geantver0000,
if your target servers are Active/Passive, logs are written on only one of them at a time not in both the servers so you'll receive only one log, if you have both the forwarders active you'll continue to receive logs also after switching.
There could be a problem with Active/Active and clustered servers with replications of logs.
What's your situation?
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top