Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does external load balancer works with Universal/Heavy forwarder?

hrawat_splunk
Splunk Employee
Splunk Employee
‎12-10-2020 03:31 PM

Related to recommendation as per following link 

Setup load balancing 

New versions of SPLUNK now fully support NLB. Splunkcloud is also behind NLB.
<on-prem fwd> ===>NLB===>splunk cloud

How to setup?
https://www.linkedin.com/posts/harendra-rawat-b10b41_asynchronous-forwarding-with-nlb-activity-71122...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎12-10-2020 03:47 PM

Note:
New versions of SPLUNK now fully support NLB. Splunkcloud is also behind NLB.
<on-prem fwd> ===>NLB===>splunk cloud

How to setup?
https://www.linkedin.com/posts/harendra-rawat-b10b41_asynchronous-forwarding-with-nlb-activity-71122...

Outputs.conf 

External network load balancer will not work with UF/HF if DNS resolves only one IP-address for NLB. This limitation will be addressed in future releases.

Technically external network load balancer  should work with UF/HF as long as DNS returns 2 or more IP addresses.. So why not recommended?

There are some scenarios where results will not be as expected.

Let’s say we have 100 k FWDs. Assuming NLB dns lookup will return 2 A records(NLB-IP1, NLB-IP2).  Indexing tier with 25 indexers ( indexer1 - indexer25). Regardless of how NLB picks target indexer( volume or round robin or something else).
  1. UF1 connects to NLB-IP1 and NLB connects to indexer1.
  2. After autoLBFrequency(default 30 sec) UF1 will pick NLB-IP2. However It’s possible that NLB that is load balancing 100K FWD hosts, might connect to indexer1.
  3. Over the period of time let’s say 1 hour, it’s possible that UF1 (out of 120 connections) might ended up connecting to one indexer ( or few indexers) more than rest.

With fewer number of A records for NLB, forwarder might stick to only one indexer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎12-10-2020 03:47 PM

Note:
New versions of SPLUNK now fully support NLB. Splunkcloud is also behind NLB.
<on-prem fwd> ===>NLB===>splunk cloud

How to setup?
https://www.linkedin.com/posts/harendra-rawat-b10b41_asynchronous-forwarding-with-nlb-activity-71122...

Outputs.conf 

External network load balancer will not work with UF/HF if DNS resolves only one IP-address for NLB. This limitation will be addressed in future releases.

Technically external network load balancer  should work with UF/HF as long as DNS returns 2 or more IP addresses.. So why not recommended?

There are some scenarios where results will not be as expected.

Let’s say we have 100 k FWDs. Assuming NLB dns lookup will return 2 A records(NLB-IP1, NLB-IP2).  Indexing tier with 25 indexers ( indexer1 - indexer25). Regardless of how NLB picks target indexer( volume or round robin or something else).
  1. UF1 connects to NLB-IP1 and NLB connects to indexer1.
  2. After autoLBFrequency(default 30 sec) UF1 will pick NLB-IP2. However It’s possible that NLB that is load balancing 100K FWD hosts, might connect to indexer1.
  3. Over the period of time let’s say 1 hour, it’s possible that UF1 (out of 120 connections) might ended up connecting to one indexer ( or few indexers) more than rest.

With fewer number of A records for NLB, forwarder might stick to only one indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...