Getting Data In

Load balancing & failover between two heavy forwarders

Path Finder

Hi ,

My Splunk architecture is like this

  1. I have two data centers (DC) and one each heavy forwarder in them .In each DC all the servers are forwarding the logs to heavy forwarder of the same DC via universal forwarders .
  2. both the respective heavy forwarders are sending logs further to indexers .

Now I have the below query related to heavy forwarders ,load balancing .

  1. In case of failure of heavy forwarder of one data center ,I want all my universal forwarders directly starts polling to the other heavy forwarder .
  2. I am aware of that we can put the ip addresses of both the heavy forwarders in output.conf file of universal forwarder however how does it make sure that universal forwarder sends logs to the heavy forwarder of its own DC only in case of normal operation .Also how in case of failure of one Heavy forwarder it will send logs to the second heavy forwarder without making any config change ?

Path Finder

You could provision a new HF at each site an cluster them using

You could also use the Gemini Splunk Appliance which contains a HA feature that can be used at the HF tier.

0 Karma


My understanding is that this feature is not in Splunk (only automatic load balancing is available) and you would have to use something along the lines of a Load Balancer or 3DNS to assign a virtual host/ip with failover rules.

Hmm... wondering if it would work if you set autoLBFrequency to an extremely high number? i.e. 5 years in seconds 🙂

autoLBFrequency =

I don't see a maximum value stated in the outputs.conf documentation.


Splunk Dev, please add failover feature!

0 Karma

Path Finder

i'm voting for this feature too ! 🙂

0 Karma


Me 2

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!