Getting Data In

Splunk Arcitechture with HA for all components in a large deployment

Explorer

Hello, dear Splunkers,
We want to deploy Splunk in our company and one of our important concerns is High Availability.
Would you please suggest me an architecture that covers HA for all Splunk components? My main concern is about UDP Syslogs from network devices. (we don't have any network load balancer device.)
In our initial plan, we are going to use indexer clustering and autoLB configuration on UFs, but we don't know how to handle UDP Syslog inputs, License Manager, and Deployment Server and other components high availability.
Thank you.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

View solution in original post

SplunkTrust
SplunkTrust

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!