Re: In Splunk, is there a way to have a cluster of...

tdanielou · ‎12-05-2018

Hello,

Is there a way to have a cluster of forwarders (heavy or universal) ?

We have multiple sources that send the same data to the indexer cluster, so we have X time the same data.
If we could have an active/passive cluster of forwarders, we could have only one time the data and the warranty that we always have the data on Splunk.

thx.

ddrillic · ‎12-05-2018

@tdanielou, the best practice is to rely on the universal forwarder file systems as the caching backup whereas for heavy forwarders to use a set of them behind a load balancer, to ensure 100% availability.

bjoernjensen · ‎12-05-2018

Hey,

for what reason do you have one source multiple times? If that is due to compliance, stageing or data governance requirements you might have to go the hard way and install redundant storage instances (indexes).

If your architectures guarantees that all sources are the same at all time ... you just need to ingest one.

If splunk is used to verify that all sources contain exactly the same data you are free to choose for your source files. Put each in a separate index peer or index, or all in one and a scheduled search on top of that.

Hope that helps!
Björn

In Splunk, is there a way to have a cluster of forwarders (heavy or universal) ?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...