Deployment Architecture

Send data to 2 indexers

edgarsilva01
Path Finder

Hello everyone

I need help to send information to 2 indexers.

By request of the client I need to send information from a heavy forwarder to an indexer A, if indexer A goes down the information must reach indexer B and when indexer A is back online the heavy forwarder must send the information back to the indexer A.

The priority must be in indexer A
I need to know how to tell the heavy forwarder that when indexer A is online it sends the data to indexer A.

 

Thank you

Labels (1)
0 Karma

andrelucasmelo
Engager

Hi Edgar.

The Splunk have some features to balance or distribute data indexing over multiples indexers and Datacenters, but Splunk dont have a way to make what you need natively.

I think that you can provide this feature using software development, based on type of data ingestion that you need.

If you need to create a copy of data in indexer B without a Indexer Cluster, you must to configure it on outputs.conf file in your Heavy Forwarder,

[tcpout]
defaultGroup = indexerA, indexerB

[tcpout:indexerA]
server = indexerAIP:9997

[tcpout:indexerB]
server = indexerBIP:9997

With this configuration, all data sent to IndexerA, will be sent to IndexerB too.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're kind of replicating the main feature of indexer clustering.  If you put indexer A and indexer B into a cluster then they'll each have a copy of all data regardless of where the data was sent.  Also, a search will find the data in either indexer.

It's possible to tell a HF to send data to two indexers, but it's difficult (impossible?) to tell it to only use B if A is unavailable.  Indeed, if both indexers are not available a forwarder will refuse to send to either one.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...