Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Load balancing & failover between two heavy forwarders

darshan_singh01
Path Finder
‎01-13-2014 11:47 PM

Hi ,

My Splunk architecture is like this

  1. I have two data centers (DC) and one each heavy forwarder in them .In each DC all the servers are forwarding the logs to heavy forwarder of the same DC via universal forwarders .
  2. both the respective heavy forwarders are sending logs further to indexers .

Now I have the below query related to heavy forwarders ,load balancing .

  1. In case of failure of heavy forwarder of one data center ,I want all my universal forwarders directly starts polling to the other heavy forwarder .
  2. I am aware of that we can put the ip addresses of both the heavy forwarders in output.conf file of universal forwarder however how does it make sure that universal forwarder sends logs to the heavy forwarder of its own DC only in case of normal operation .Also how in case of failure of one Heavy forwarder it will send logs to the second heavy forwarder without making any config change ?
Reply

tejasode
Observer
‎08-14-2024 04:18 AM

+1

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2024 12:35 PM
Currently you must create an idea for this to ideas.splunk.com if there haven’t been that already.
0 Karma
Reply

chaker
Contributor
‎08-01-2017 07:12 PM

You could provision a new HF at each site an cluster them using
http://www.linux-ha.org/wiki/Main_Page

You could also use the Gemini Splunk Appliance which contains a HA feature that can be used at the HF tier.

0 Karma
Reply

bandit
Motivator
‎09-24-2014 08:29 AM

My understanding is that this feature is not in Splunk (only automatic load balancing is available) and you would have to use something along the lines of a Load Balancer or 3DNS to assign a virtual host/ip with failover rules.

Hmm... wondering if it would work if you set autoLBFrequency to an extremely high number? i.e. 5 years in seconds 🙂

autoLBFrequency =

I don't see a maximum value stated in the outputs.conf documentation.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

Reply

bandit
Motivator
‎09-24-2014 08:30 AM

Splunk Dev, please add failover feature!

0 Karma
Reply

vince2010091
Path Finder
‎07-17-2015 03:04 AM

i'm voting for this feature too ! 🙂

0 Karma
Reply

bseader
Explorer
‎08-01-2017 09:31 AM

Please??
Me 2

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...