Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Load Balancing

aoliullah
Path Finder
‎02-12-2017 04:24 AM

I have set up load balancing with 2 indexers with the ip being 10.0.0.5 and 10.0.0.6.

I didn't specify the autoLB frequency so I guess it would be spending 30 seconds on each indexer.

My issue here is all my data seem to go to 10.0.0.6 first and then 10.0.0.5. Should it not be going the other way round?

Also, I indexed 4MB worth of data and they only seem to be present in the index on 10.0.0.6. Is it right to assume that it was able to index all the data in 30 seconds on 10.0.0.6 so there was no data to index when it moved to 10.0.0.5 hence the index on 10.0.0.5 being empty?

This is my outputs.conf by the way:

[tcpout]
disabled= false
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
autoLB = true
server = 10.0.0.5:9997,10.0.0.6:9997

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-12-2017 05:23 AM

The order of indexers is not necessarily the order you specify in the file. In the grand scheme of running Splunk for days and years, who gets what first is not that important.

When indexing a small amount, it's likely that 100% ends up on one indexer. 4MB in 30 seconds would need just over 100kb/s, no problem at all. Additionally, when reading one file the forwarder tends to want to finish the file and then switch to another indexer. Again in the grand scheme of monitoring many files, or one regularly appended file over time, things will balance themselves out.

If you want to see the switches in action, try a search like this:

index=_internal host=your_forwarder 10.0.0.*

You should see it connect to one, then the other, and so on. Additionally, try this:

index=_internal group=tcpin_connections

That should show data from both indexers, indicating it has a connection from the forwarder. At the time of indexing your 4MB file you should also see some kb fields go up for the .6 indexer as it received data through that tcpin connection.

TL;DR: Looks fine to me, add more data over time to see balancing.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-12-2017 05:23 AM

The order of indexers is not necessarily the order you specify in the file. In the grand scheme of running Splunk for days and years, who gets what first is not that important.

When indexing a small amount, it's likely that 100% ends up on one indexer. 4MB in 30 seconds would need just over 100kb/s, no problem at all. Additionally, when reading one file the forwarder tends to want to finish the file and then switch to another indexer. Again in the grand scheme of monitoring many files, or one regularly appended file over time, things will balance themselves out.

If you want to see the switches in action, try a search like this:

index=_internal host=your_forwarder 10.0.0.*

You should see it connect to one, then the other, and so on. Additionally, try this:

index=_internal group=tcpin_connections

That should show data from both indexers, indicating it has a connection from the forwarder. At the time of indexing your 4MB file you should also see some kb fields go up for the .6 indexer as it received data through that tcpin connection.

TL;DR: Looks fine to me, add more data over time to see balancing.

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...