Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Forwarder with primary & fail-over indexer?

dnolan
Explorer
‎08-19-2010 09:56 PM

Is there a way with the basic Forwarder to configure it to send events to server A if its up, and to server B only if server A becomes unavailable?

I've got four indexers, geographically distributed. I'd like to configure my forwarders to send to their closest indexer, with fail-over to a second indexer if the primary is unavailalbe.

I could do AutoLB with a REALLY HIGH frequency, but thats a hack, and doesn't properly handle the situation where the primary indexer comes back up. I want the forwarders to switch back to the primary automatically.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

There is no way to do this in Splunk. Forwarding destinations are always considered symmetrically (in the case of load balancing) or independently (in the case of cloned groups). You may be able to use an off the shelf load balancer or cluster manager to route TCP connections appropriately.

View solution in original post

Reply
Solved! Jump to solution

dnolan
Explorer
‎08-25-2010 05:48 PM

Because my license isn't infinite... 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

There is no way to do this in Splunk. Forwarding destinations are always considered symmetrically (in the case of load balancing) or independently (in the case of cloned groups). You may be able to use an off the shelf load balancer or cluster manager to route TCP connections appropriately.

Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

I would not recommend doing this due to the change in distribution of data. The only usable scenario for this I could imagine, would be for network traffic that is sent through an intermediate forwarder. In that case, it makes more sense to use syslog-ng and write the events to a file that is then monitored by the Splunk Forwarder. A big consideration with the functionality you describe, is that you will have data in two different places.

If your desire is to have some temporary back up, I recommend you perform data cloning as that will allow you to search the data before your primary indexer went down.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-19-2010 10:00 PM

Why would you do this rather than have the forwarder distributing to both indexers at all times? When one fails, then all traffic will go to the remaining one.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...