Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does load balacing work when forwarding to Splunk Cloud?

hettervik
Builder
‎05-11-2016 01:08 AM

Hi,

I'm wondering how load balancing in Splunk Cloud work.

When i install the splunkcloud.uf app on a local forwarder, the outputs.conf that is created in the app looks like so:

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-<id>.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-<id>.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = <password>
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Notice that there is only one server listed. When I search for "splunk_server" in my Splunk Cloud it clearly says I have five indexers. Why aren't all those listed behind "server" as normal when using load balancing? I know there is something called the indexer discovery feature, but then I guess I would see a stanza for that in my outputs.conf. Could someone explain this to me?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-11-2016 01:23 AM

This configuration is for a single instance of Splunk cloud, not a clustered instance. Clustered instances will have a input-idxXX.instancename.splunkcloud.com.

Single instance stacks, *.cloud.splunk.com, do not have multiple indexers or search heads.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-11-2016 01:23 AM

This configuration is for a single instance of Splunk cloud, not a clustered instance. Clustered instances will have a input-idxXX.instancename.splunkcloud.com.

Single instance stacks, *.cloud.splunk.com, do not have multiple indexers or search heads.

0 Karma
Reply
Solved! Jump to solution

hettervik
Builder
‎05-11-2016 01:28 AM

Thanks for your fast answer. So the fact that it says id.cloud.indicates that there's only one indexer? If so, why are there five servers showing in my Splunk Cloud GUI? These five show when i search for * with value, count and percent.

idx2.<customer>.splunkcloud.com     383     30.763%
idx3.<customer>.splunkcloud.com     292     23.454%
idx4.<customer>.splunkcloud.com     203     16.305%
idx1.<customer>.splunkcloud.com     199     15.984%
idx5.<customer>.splunkcloud.com     168     13.494%
0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-11-2016 01:30 AM

It looks like either your Cloud UF App is from a single instance *.cloud.splunk.com trial you have done. Or perhaps the one from your clustered stack isnt correct.

Did you install the app from your *.splunkcloud.com instance after using your *.cloud.splunk.com instance? You have to update this, it doesnt automatically change.

Reply
Solved! Jump to solution

hettervik
Builder
‎05-11-2016 01:40 AM

You are absolutely right! The app I was looking at was from a former Splunk Cloud Trial instance. There is another app for the new prod-instance of Splunk Cloud which has all the servers listed. That surely clears things up. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...