Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using LWF as intermediate forwarder and using autoLB

gkanapathy
Splunk Employee
Splunk Employee
‎09-10-2010 05:25 PM

I understand that auto load-balancing (autoLB) on a Splunk Light Forwarder works by switching indexers for a source only when it reads the end of a monitored source file, to ensure that it only switches between events.

If I use a Light Forwarder as an relay or intermediate forwarder between other light forwarders and a cluster of indexers (because of network restrictions), will autoLB still work? That is, is autoLB dependent on the LWF having the file locally monitored? Or will autoLB still work if the LWF receives the input stream from another set of LWFs? Will it be able to look at the incoming source keys and switch only on the "done" key in the stream, or does autoLB not work that way?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-22-2010 03:48 AM

AutoLB is keyed just on the done key, which is propagated from the initial to intermediate forwarders. However, in investigating this, we've observed a bug that will keep this from working as expected. Specifically we're keying the stream on just the value of the "source" key rather than an unambiguous representation of the stream. This doesn't affect a single tier of autoLB LWFs, but will cause a second tier of these to inappropriately terminate a connection when a done key is seen for a similarly named source from a different stream. This will be fixed in 4.2.

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-22-2010 03:48 AM

AutoLB is keyed just on the done key, which is propagated from the initial to intermediate forwarders. However, in investigating this, we've observed a bug that will keep this from working as expected. Specifically we're keying the stream on just the value of the "source" key rather than an unambiguous representation of the stream. This doesn't affect a single tier of autoLB LWFs, but will cause a second tier of these to inappropriately terminate a connection when a done key is seen for a similarly named source from a different stream. This will be fixed in 4.2.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-04-2011 08:59 PM

yes, it would work, but i am concerned about the performance/throughput of using a heavy forwarder vs light, and the number of forwarders i would need to handle peak traffic loads.

0 Karma
Reply
Solved! Jump to solution

hacktastic
Path Finder
‎03-04-2011 05:42 PM

Is the workaround to use a HWF as an intermediate forwarder?

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...