I have currently one Splunk server who works as indexer and searcher. I want to add second server which will be a mirror of that first server. I need to set data index replication from first server to the second server but I don't know how to configure that. I was looking in the documentation, found some explanations (http://docs.splunk.com/Documentation/Splunk/latest/Installation/Highavailabilityreferencearchitectur...) but there is no any sample config and I have no idea how to set it up.
So shortly, I want:
Splunk_A -----> Splunk_B (Splunk_A send all received data to Splunk_B)
Then I would like to set some loadbalancing. When user want to search something it connect to server A or B. When Server A is down, user connect to server B. When server A is down, all indexed data are travelling directly do server B.
Is it possible to set up? I need to see some examples of configuration. Documentation is very very poor.
Thanks everyone for replying.
@bckq, This can be done in current version of Splunk, but is a little messy. Splunk 5.0 aka Ace which in RC3 currently will allow you do accomplish your goal. In 4.x.x you have to use a few concepts such as data cloning, data routing, and data filtering which can be done at the forwarder or indexer level. Here is a post that covers HA, I also discuss how to accomplish what your taking about.
Hope this helps or gets you started.
More info about index replication in Splunk 5.0 can be found here
http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Aboutclusters
That's right. Index replication will replicate all the indexes.
Keep in mind you are replicating entire indexers. Currently you can not pick and choose indices on an indexer to replicate. Data cloning and routing may still be perferable depending on requirements.
@bckq, This can be done in current version of Splunk, but is a little messy. Splunk 5.0 aka Ace which in RC3 currently will allow you do accomplish your goal. In 4.x.x you have to use a few concepts such as data cloning, data routing, and data filtering which can be done at the forwarder or indexer level. Here is a post that covers HA, I also discuss how to accomplish what your taking about.
Hope this helps or gets you started.
The documentation has all the answers for this. Instead of using Indexer A to send the data I would just send to the two indexers from the start with Universal Forwarders or Heavy Forwarders. The down side is, the data won't match across the indexers when one goes down and come back up. The current Beta version of Splunk will cover this in a clustering mode that will do what you are looking for.