Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using LWF as intermediate forwarder and using autoLB

gkanapathy
Splunk Employee
Splunk Employee
‎09-10-2010 05:25 PM

I understand that auto load-balancing (autoLB) on a Splunk Light Forwarder works by switching indexers for a source only when it reads the end of a monitored source file, to ensure that it only switches between events.

If I use a Light Forwarder as an relay or intermediate forwarder between other light forwarders and a cluster of indexers (because of network restrictions), will autoLB still work? That is, is autoLB dependent on the LWF having the file locally monitored? Or will autoLB still work if the LWF receives the input stream from another set of LWFs? Will it be able to look at the incoming source keys and switch only on the "done" key in the stream, or does autoLB not work that way?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-22-2010 03:48 AM

AutoLB is keyed just on the done key, which is propagated from the initial to intermediate forwarders. However, in investigating this, we've observed a bug that will keep this from working as expected. Specifically we're keying the stream on just the value of the "source" key rather than an unambiguous representation of the stream. This doesn't affect a single tier of autoLB LWFs, but will cause a second tier of these to inappropriately terminate a connection when a done key is seen for a similarly named source from a different stream. This will be fixed in 4.2.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-22-2010 03:48 AM

AutoLB is keyed just on the done key, which is propagated from the initial to intermediate forwarders. However, in investigating this, we've observed a bug that will keep this from working as expected. Specifically we're keying the stream on just the value of the "source" key rather than an unambiguous representation of the stream. This doesn't affect a single tier of autoLB LWFs, but will cause a second tier of these to inappropriately terminate a connection when a done key is seen for a similarly named source from a different stream. This will be fixed in 4.2.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-04-2011 08:59 PM

yes, it would work, but i am concerned about the performance/throughput of using a heavy forwarder vs light, and the number of forwarders i would need to handle peak traffic loads.

0 Karma
Reply
Solved! Jump to solution

hacktastic
Path Finder
‎03-04-2011 05:42 PM

Is the workaround to use a HWF as an intermediate forwarder?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...