Getting Data In

How does load balacing work when forwarding to Splunk Cloud?

Builder

Hi,

I'm wondering how load balancing in Splunk Cloud work.

When i install the splunkcloud.uf app on a local forwarder, the outputs.conf that is created in the app looks like so:

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-<id>.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-<id>.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = <password>
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Notice that there is only one server listed. When I search for "splunk_server" in my Splunk Cloud it clearly says I have five indexers. Why aren't all those listed behind "server" as normal when using load balancing? I know there is something called the indexer discovery feature, but then I guess I would see a stanza for that in my outputs.conf. Could someone explain this to me?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

This configuration is for a single instance of Splunk cloud, not a clustered instance. Clustered instances will have a input-idxXX.instancename.splunkcloud.com.

Single instance stacks, *.cloud.splunk.com, do not have multiple indexers or search heads.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

This configuration is for a single instance of Splunk cloud, not a clustered instance. Clustered instances will have a input-idxXX.instancename.splunkcloud.com.

Single instance stacks, *.cloud.splunk.com, do not have multiple indexers or search heads.

View solution in original post

0 Karma

Builder

Thanks for your fast answer. So the fact that it says id.cloud.indicates that there's only one indexer? If so, why are there five servers showing in my Splunk Cloud GUI? These five show when i search for * with value, count and percent.

idx2.<customer>.splunkcloud.com     383     30.763%
idx3.<customer>.splunkcloud.com     292     23.454%
idx4.<customer>.splunkcloud.com     203     16.305%
idx1.<customer>.splunkcloud.com     199     15.984%
idx5.<customer>.splunkcloud.com     168     13.494%
0 Karma

Splunk Employee
Splunk Employee

It looks like either your Cloud UF App is from a single instance *.cloud.splunk.com trial you have done. Or perhaps the one from your clustered stack isnt correct.

Did you install the app from your *.splunkcloud.com instance after using your *.cloud.splunk.com instance? You have to update this, it doesnt automatically change.

Builder

You are absolutely right! The app I was looking at was from a former Splunk Cloud Trial instance. There is another app for the new prod-instance of Splunk Cloud which has all the servers listed. That surely clears things up. Thanks!

0 Karma