Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Arcitechture with HA for all components in a large deployment

jg91
Path Finder
‎04-29-2020 08:54 AM

Hello, dear Splunkers,
We want to deploy Splunk in our company and one of our important concerns is High Availability.
Would you please suggest me an architecture that covers HA for all Splunk components? My main concern is about UDP Syslogs from network devices. (we don't have any network load balancer device.)
In our initial plan, we are going to use indexer clustering and autoLB configuration on UFs, but we don't know how to handle UDP Syslog inputs, License Manager, and Deployment Server and other components high availability.
Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-29-2020 06:02 PM

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-29-2020 06:02 PM

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...