My Splunk architecture is like this
Now I have the below query related to heavy forwarders ,load balancing .
You could provision a new HF at each site an cluster them using
You could also use the Gemini Splunk Appliance which contains a HA feature that can be used at the HF tier.
My understanding is that this feature is not in Splunk (only automatic load balancing is available) and you would have to use something along the lines of a Load Balancer or 3DNS to assign a virtual host/ip with failover rules.
Hmm... wondering if it would work if you set autoLBFrequency to an extremely high number? i.e. 5 years in seconds 🙂
I don't see a maximum value stated in the outputs.conf documentation.