Deployment Architecture

how to configure Splunk search head cluster behind an F5 load balancer ?

spsrasru
Path Finder

We don’t have anything set up currently for load balancing and this is something we are planning for first time using new version (6.2) of splunk. The load balancer set up I am looking for is F5 residing between the users and the cluster members (search heads).

Can anyone provide the process or documentation for setting this up ?

Labels (1)
0 Karma
1 Solution

jmheaton
Path Finder

Hello,

We just built a new SH Cluster and put ours behind an F5.
Nothing too complicated to setup. You will need a VIP associated to URL that users can get to, ex: Splunk.Company.com

Have that forward to your Search Peers IP's
10.x.x.x, 10.x.x.x, 10.x.x.x

If you use the default ports (8000 for web), make sure you change the port forwarding.

Last, enable sticky sessions.

If you find that every time you login, it seems to reset and make you log in again, you probably are missing the sticky sessions.

Thanks,
James

View solution in original post

0 Karma

jmheaton
Path Finder

Hello,

We just built a new SH Cluster and put ours behind an F5.
Nothing too complicated to setup. You will need a VIP associated to URL that users can get to, ex: Splunk.Company.com

Have that forward to your Search Peers IP's
10.x.x.x, 10.x.x.x, 10.x.x.x

If you use the default ports (8000 for web), make sure you change the port forwarding.

Last, enable sticky sessions.

If you find that every time you login, it seems to reset and make you log in again, you probably are missing the sticky sessions.

Thanks,
James

0 Karma

kaku72
New Member

What do you mean by 'stick session'?

0 Karma

damode
Motivator

Hi @jmheaton, did you also make your Search Heads HTTPS based? If yes, please share the method you used to configure that. Thanks.

0 Karma

spsrasru
Path Finder

We set it up but I am getting an xml page when i browse using just the VIP. The VIP will listen for https requests on 443 and forward to the real servers on 4301.

Can you please suggest ?

Appreciate your help on this!

0 Karma

spsrasru
Path Finder

Thanks for your response! I am confused with the statement "Have that forward to your Search Peers IP's".

You mean forward to our search head IP's ?

Thanks,
Sam

0 Karma

jmheaton
Path Finder

Yeah, i have been working on an index cluster project and wrote peers instead of heads 🙂

0 Karma

spsrasru
Path Finder

no problem. Appreciate your response.

Thanks,
Sam

0 Karma

harsmarvania57
Ultra Champion
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...