Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder with primary & fail-over indexer?

dnolan
Explorer
‎08-19-2010 09:56 PM

Is there a way with the basic Forwarder to configure it to send events to server A if its up, and to server B only if server A becomes unavailable?

I've got four indexers, geographically distributed. I'd like to configure my forwarders to send to their closest indexer, with fail-over to a second indexer if the primary is unavailalbe.

I could do AutoLB with a REALLY HIGH frequency, but thats a hack, and doesn't properly handle the situation where the primary indexer comes back up. I want the forwarders to switch back to the primary automatically.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

There is no way to do this in Splunk. Forwarding destinations are always considered symmetrically (in the case of load balancing) or independently (in the case of cloned groups). You may be able to use an off the shelf load balancer or cluster manager to route TCP connections appropriately.

View solution in original post

Reply
Solved! Jump to solution

dnolan
Explorer
‎08-25-2010 05:48 PM

Because my license isn't infinite... 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

There is no way to do this in Splunk. Forwarding destinations are always considered symmetrically (in the case of load balancing) or independently (in the case of cloned groups). You may be able to use an off the shelf load balancer or cluster manager to route TCP connections appropriately.

Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

I would not recommend doing this due to the change in distribution of data. The only usable scenario for this I could imagine, would be for network traffic that is sent through an intermediate forwarder. In that case, it makes more sense to use syslog-ng and write the events to a file that is then monitored by the Splunk Forwarder. A big consideration with the functionality you describe, is that you will have data in two different places.

If your desire is to have some temporary back up, I recommend you perform data cloning as that will allow you to search the data before your primary indexer went down.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-19-2010 10:00 PM

Why would you do this rather than have the forwarder distributing to both indexers at all times? When one fails, then all traffic will go to the remaining one.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...