Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to integrate AWS Autoscale with Splunk indexers to automate high availability without an admin redeploying configurations

agoebel
Path Finder
‎08-26-2015 12:01 PM

Last year we had great luck with our Splunk configuration and I'm trying to adapt it to use multisite clustering for this year for a better HA story. There is one place where I'm getting stuck though.

There would be two indexers per AWS region in our setup. Ideally, these are set up to come up with an ASG in case one dies, they can automatically heal. I am not seeing a way for this to work without reconfiguring the forwarders with a new IP addresses when it comes up and it seems using an ELB in front of the indexers is frowned upon. Is there a known way to get this behavior so Splunk heals itself automatically without an admin going in and bringing up a new box and redeploying configurations?

0 Karma
Reply

nkwong_splunk
Splunk Employee
Splunk Employee
‎01-11-2016 10:49 AM

Here is a .conf2015 talk that my colleagues and I did on deploying a highly available Splunk Enterprise architecture on AWS. We talk about how to leverage DNS entries instead of hardcoding IP addresses in your forwarders. Also, in Splunk 6.3 we introduced the new feature, indexer discovery, which allows the forwarders to get the full list of indexers from the master node.

Indexer Discovery Overview and Setup
http://docs.splunk.com/Documentation/Splunk/6.3.1/Indexer/indexerdiscovery

Slidedeck from .conf2015 - Deploying Splunk on Amazon Web Services
http://conf.splunk.com/session/2015/conf2015_SYep_Splunk_Cloud_DeployingSplunkOnAmazon.pdf

Recording from .conf2015 - Deploying Splunk on Amazon Web Services
http://conf.splunk.com/session/2015/recordings/2015-splunk-126.mp4

0 Karma
Reply

emiller42
Motivator
‎08-26-2015 02:55 PM

You're probably going to need to figure out some orchestration here. (And might already have some)

One thing that comes to mind is that you shouldn't be configuring your forwarders with IP addresses for each indexer. Instead, create a DNS listing with all of your indexer IP's as A records within it. Then you just point your forwarder at the DNS record, and it'll load-balance across all the IP's found.

When you need to add/remove indexers, you simply update the DNS listing. The forwarders will pick up on that change and forward to the new indexers automatically.

Relevant documentation

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...