Getting Data In

Data replication across two indexers

bckq
Path Finder

I have currently one Splunk server who works as indexer and searcher. I want to add second server which will be a mirror of that first server. I need to set data index replication from first server to the second server but I don't know how to configure that. I was looking in the documentation, found some explanations (http://docs.splunk.com/Documentation/Splunk/latest/Installation/Highavailabilityreferencearchitectur...) but there is no any sample config and I have no idea how to set it up.

So shortly, I want:
Splunk_A -----> Splunk_B (Splunk_A send all received data to Splunk_B)
Then I would like to set some loadbalancing. When user want to search something it connect to server A or B. When Server A is down, user connect to server B. When server A is down, all indexed data are travelling directly do server B.

Is it possible to set up? I need to see some examples of configuration. Documentation is very very poor.

Thanks everyone for replying.

Tags (2)
0 Karma
1 Solution

bmacias84
Champion

@bckq, This can be done in current version of Splunk, but is a little messy. Splunk 5.0 aka Ace which in RC3 currently will allow you do accomplish your goal. In 4.x.x you have to use a few concepts such as data cloning, data routing, and data filtering which can be done at the forwarder or indexer level. Here is a post that covers HA, I also discuss how to accomplish what your taking about.

Hope this helps or gets you started.

splunk-disaster-recovery

View solution in original post

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

More info about index replication in Splunk 5.0 can be found here

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Aboutclusters

0 Karma

mahamed_splunk
Splunk Employee
Splunk Employee

That's right. Index replication will replicate all the indexes.

0 Karma

bmacias84
Champion

Keep in mind you are replicating entire indexers. Currently you can not pick and choose indices on an indexer to replicate. Data cloning and routing may still be perferable depending on requirements.

0 Karma

bmacias84
Champion

@bckq, This can be done in current version of Splunk, but is a little messy. Splunk 5.0 aka Ace which in RC3 currently will allow you do accomplish your goal. In 4.x.x you have to use a few concepts such as data cloning, data routing, and data filtering which can be done at the forwarder or indexer level. Here is a post that covers HA, I also discuss how to accomplish what your taking about.

Hope this helps or gets you started.

splunk-disaster-recovery

0 Karma

jgedeon120
Contributor

The documentation has all the answers for this. Instead of using Indexer A to send the data I would just send to the two indexers from the start with Universal Forwarders or Heavy Forwarders. The down side is, the data won't match across the indexers when one goes down and come back up. The current Beta version of Splunk will cover this in a clustering mode that will do what you are looking for.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...