Getting Data In

Splunk Arcitechture with HA for all components in a large deployment

jg91
Path Finder

Hello, dear Splunkers,
We want to deploy Splunk in our company and one of our important concerns is High Availability.
Would you please suggest me an architecture that covers HA for all Splunk components? My main concern is about UDP Syslogs from network devices. (we don't have any network load balancer device.)
In our initial plan, we are going to use indexer clustering and autoLB configuration on UFs, but we don't know how to handle UDP Syslog inputs, License Manager, and Deployment Server and other components high availability.
Thank you.

0 Karma
1 Solution

adonio
Ultra Champion

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

View solution in original post

adonio
Ultra Champion

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...