Getting Data In

Load balancing & failover between two heavy forwarders

darshan_singh01
Path Finder

Hi ,

My Splunk architecture is like this

  1. I have two data centers (DC) and one each heavy forwarder in them .In each DC all the servers are forwarding the logs to heavy forwarder of the same DC via universal forwarders .
  2. both the respective heavy forwarders are sending logs further to indexers .

Now I have the below query related to heavy forwarders ,load balancing .

  1. In case of failure of heavy forwarder of one data center ,I want all my universal forwarders directly starts polling to the other heavy forwarder .
  2. I am aware of that we can put the ip addresses of both the heavy forwarders in output.conf file of universal forwarder however how does it make sure that universal forwarder sends logs to the heavy forwarder of its own DC only in case of normal operation .Also how in case of failure of one Heavy forwarder it will send logs to the second heavy forwarder without making any config change ?

chaker
Contributor

You could provision a new HF at each site an cluster them using
http://www.linux-ha.org/wiki/Main_Page

You could also use the Gemini Splunk Appliance which contains a HA feature that can be used at the HF tier.

0 Karma

bandit
Motivator

My understanding is that this feature is not in Splunk (only automatic load balancing is available) and you would have to use something along the lines of a Load Balancer or 3DNS to assign a virtual host/ip with failover rules.

Hmm... wondering if it would work if you set autoLBFrequency to an extremely high number? i.e. 5 years in seconds 🙂

autoLBFrequency =

I don't see a maximum value stated in the outputs.conf documentation.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

bandit
Motivator

Splunk Dev, please add failover feature!

0 Karma

vince2010091
Path Finder

i'm voting for this feature too ! 🙂

0 Karma

bseader
Explorer

Please??
Me 2

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...