Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Possible to do failover rather than load balancing with the forwarder?

gryz
Explorer
‎10-25-2012 02:36 PM

Given our network architecture, we would like to do failover rather than load balancing.

We would want a primary and a secondary indexer.

Under normal conditions, all forwarders should sent data to the primary indexer.

If the primary indexer goes down, data should then go to the secondary indexer.

When the primary indexer comes back up, data should go to the primary again.

Thanks!

Tags (1)
Reply

bandit
Motivator
‎09-24-2014 08:35 AM

Also related:
http://answers.splunk.com/answers/118504/load-balancing-failover-between-two-heavy-forwarders.html

0 Karma
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎03-29-2014 07:54 AM

Check out this thread on HA for Light forwarder using DNS

http://answers.splunk.com/answers/8806/high-availability-light-forwarders-and-combining-cloning-and-...
link text

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-25-2012 03:08 PM

To the best of my knowledge, reading over docs for outputs.conf, I don't think what you're looking for is possible. You could try changing the autoLBFrequency to a high value, but that just means that the forwarder would develop a long-lasting affinity for whatever indexer it's talking to. In a failover event, it would hang on to its connection to the secondary for a long time.

Let's dig deeper, however. I'm curious to know why you'd want data to go only to a primary indexer, and not both. You'll get the redundancy you request, as well as increased search performance if you utilize both indexers together. Is there some reason why you wouldn't use both? Is it simply a matter of bandwidth? If so, note that you can enable compression on both sides of the connection (forwarder and indexer) to decrease overall bandwidth usage.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...