Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder with primary & fail-over indexer?

dnolan
Explorer
‎08-19-2010 09:56 PM

Is there a way with the basic Forwarder to configure it to send events to server A if its up, and to server B only if server A becomes unavailable?

I've got four indexers, geographically distributed. I'd like to configure my forwarders to send to their closest indexer, with fail-over to a second indexer if the primary is unavailalbe.

I could do AutoLB with a REALLY HIGH frequency, but thats a hack, and doesn't properly handle the situation where the primary indexer comes back up. I want the forwarders to switch back to the primary automatically.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

There is no way to do this in Splunk. Forwarding destinations are always considered symmetrically (in the case of load balancing) or independently (in the case of cloned groups). You may be able to use an off the shelf load balancer or cluster manager to route TCP connections appropriately.

View solution in original post

Reply
Solved! Jump to solution

dnolan
Explorer
‎08-25-2010 05:48 PM

Because my license isn't infinite... 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

There is no way to do this in Splunk. Forwarding destinations are always considered symmetrically (in the case of load balancing) or independently (in the case of cloned groups). You may be able to use an off the shelf load balancer or cluster manager to route TCP connections appropriately.

Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎08-19-2010 10:41 PM

I would not recommend doing this due to the change in distribution of data. The only usable scenario for this I could imagine, would be for network traffic that is sent through an intermediate forwarder. In that case, it makes more sense to use syslog-ng and write the events to a file that is then monitored by the Splunk Forwarder. A big consideration with the functionality you describe, is that you will have data in two different places.

If your desire is to have some temporary back up, I recommend you perform data cloning as that will allow you to search the data before your primary indexer went down.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-19-2010 10:00 PM

Why would you do this rather than have the forwarder distributing to both indexers at all times? When one fails, then all traffic will go to the remaining one.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...