Can we use a DNS-Alias name to use the Auto Load Balancing feature of 4.1.1. for the Forwarders? E.g.:
Name: splunk-A
Address: 10.10.10.1
Aliases: splunk-index
Name: splunk-B
Address: 10.10.10.2
Aliases: splunk-index
Name: splunk-C
Address: 10.10.10.3
Aliases: splunk-index
Will this work?
You can use A records in DNS as much as you want, no point of using aliases. Aliases might work, but A records are cleaner.
We implemented it, and it works like a charm.
Name: splunk-indexers.puc.ov.otto.de
Address: 10.111.128.76
Name: splunk-indexers.puc.ov.otto.de
Address: 10.111.128.151
Name: splunk-indexers.puc.ov.otto.de
Address: 10.111.128.75
splunk-e.ov.otto.de canonical name = blade798.ov.otto.de.
Name: blade798.ov.otto.de
Address: 10.111.128.151
splunk-d.puc.ov.otto.de canonical name = blade702.puc.ov.otto.de.
Name: blade702.puc.ov.otto.de
Address: 10.111.128.76
splunk-b.puc.ov.otto.de canonical name = blade803.puc.ov.otto.de.
Name: blade803.puc.ov.otto.de
Address: 10.111.128.75
The data gets distributed to all three indexer. Search is done via a searh head with distributed search. I will shortly add a fourth indexer, that is behind a firewall and not part of the splunk-indexers.
According to the Splunk 4.1 admin training I took recently, you can use a "DNS list based on a series of A records for a single host name" to configure auto load balancing.
Yeah, documented is A records. This is a CNAME example. I suspect it won't work, but am uncertain.
this was tested prior to the release of 4.0
This has been asked before, and I thought it would Just Work but a more sysadminny person in QA said it depended. Someone was asked to test. I'll ping the appropriate parties. If the difference between A and CNAME matters to you, let us know.