- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Data replication across two indexers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have currently one Splunk server who works as indexer and searcher. I want to add second server which will be a mirror of that first server. I need to set data index replication from first server to the second server but I don't know how to configure that. I was looking in the documentation, found some explanations (http://docs.splunk.com/Documentation/Splunk/latest/Installation/Highavailabilityreferencearchitectur...) but there is no any sample config and I have no idea how to set it up.
So shortly, I want:
Splunk_A -----> Splunk_B (Splunk_A send all received data to Splunk_B)
Then I would like to set some loadbalancing. When user want to search something it connect to server A or B. When Server A is down, user connect to server B. When server A is down, all indexed data are travelling directly do server B.
Is it possible to set up? I need to see some examples of configuration. Documentation is very very poor.
Thanks everyone for replying.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bckq, This can be done in current version of Splunk, but is a little messy. Splunk 5.0 aka Ace which in RC3 currently will allow you do accomplish your goal. In 4.x.x you have to use a few concepts such as data cloning, data routing, and data filtering which can be done at the forwarder or indexer level. Here is a post that covers HA, I also discuss how to accomplish what your taking about.
Hope this helps or gets you started.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More info about index replication in Splunk 5.0 can be found here
http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Aboutclusters
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's right. Index replication will replicate all the indexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind you are replicating entire indexers. Currently you can not pick and choose indices on an indexer to replicate. Data cloning and routing may still be perferable depending on requirements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bckq, This can be done in current version of Splunk, but is a little messy. Splunk 5.0 aka Ace which in RC3 currently will allow you do accomplish your goal. In 4.x.x you have to use a few concepts such as data cloning, data routing, and data filtering which can be done at the forwarder or indexer level. Here is a post that covers HA, I also discuss how to accomplish what your taking about.
Hope this helps or gets you started.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation has all the answers for this. Instead of using Indexer A to send the data I would just send to the two indexers from the start with Universal Forwarders or Heavy Forwarders. The down side is, the data won't match across the indexers when one goes down and come back up. The current Beta version of Splunk will cover this in a clustering mode that will do what you are looking for.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
