Getting Data In

Splunk Arcitechture with HA for all components in a large deployment

jg91
Path Finder

Hello, dear Splunkers,
We want to deploy Splunk in our company and one of our important concerns is High Availability.
Would you please suggest me an architecture that covers HA for all Splunk components? My main concern is about UDP Syslogs from network devices. (we don't have any network load balancer device.)
In our initial plan, we are going to use indexer clustering and autoLB configuration on UFs, but we don't know how to handle UDP Syslog inputs, License Manager, and Deployment Server and other components high availability.
Thank you.

0 Karma
1 Solution

adonio
Ultra Champion

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

View solution in original post

adonio
Ultra Champion

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...