Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best Practice for Getting Data from Splunk Instances Into Indexer Cluster

Fortron
Engager
‎06-21-2024 06:55 AM

I have the following setup with Indexer Discovery + Indexer Cluster + Search Head Cluster:

- Deployment Server

- 3 X Indexer + Cluster Manager (Indexer Cluster)

- Search Head Deployer + Search Head (Set-up as part of a SHC for possible future scaling up)

 

For forwarding logs from Cluster Manager, I referred to: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Forwardmanagerdata

For forwarding logs from Search Head Cluster nodes, I referred to: https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata

I believe forwarding logs from the Deployment Server should be similar to the above.

 

For indexers belonging to an indexer cluster, I have considered the following:

1. Install UF in each indexer to monitor & forward logs to the indexer cluster (via indexer discovery)

2. Just monitor logs locally and allow each indexer to index its own local logs (without going through the indexer cluster)

3. Configure the indexer to forward the locally monitored logs without indexing, to the indexer cluster. I am not sure if is necessary to ensure that it does not index the same data twice. Unsure on how this would play out.

Option 2 seems to be the easiest to achieve, but ideally I would like all logs to go through the indexer cluster for indexing.

What should be the best practice for forwarding logs from indexers that are part of the indexer cluster?

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2024 09:51 AM

While most instance types should forward their logs to the indexers (using outputs.conf), indexers must not do so lest they cause an infinite loop.  By virtue of the fact the indexer is part of the cluster, its logs go through the cluster.

What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

Fortron
Engager
‎06-21-2024 10:10 AM

I believe it is due to my lack of understanding on how the indexers in an indexer cluster treat locally monitored data versus data forwarded to the indexer cluster. I mistakenly thought that locally monitored logs on each indexer don't get treated the same way as logs that were forwarded to the indexer cluster.

Thank you for pointing out on the infinite loop, I guess this was the issue when I tried to configure the indexer to forward locally monitored data to its own indexer cluster, which made them spew out alot of errors. 

In that case it seems that I should just create an `inputs.conf` on the indexers and monitor whatever I want, as the indexers' logs would get indexed and subsequently replicated, if I'm understanding it correctly. 

Thank you for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2024 09:51 AM

While most instance types should forward their logs to the indexers (using outputs.conf), indexers must not do so lest they cause an infinite loop.  By virtue of the fact the indexer is part of the cluster, its logs go through the cluster.

What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...