Getting Data In

What's the best practice when enabling collectD with a large group of servers to an existing Http Event Collector?

Builder

All,

I have 4 reference servers behind a load balancer receiving less than 20gigs a day from an application source. So it's major overkill.

I want to enable collectD from about 3000 Linux hosts. I'd like to just use the same setup, so I am not wasting hardware.

Any reason why this would be a bad idea? Is there a best practice? Part of me was thinking I should create another HEC instance on another port to separate things. But I shouldn't need to do that right? I can just just use props.conf?

thanks
-Daniel

0 Karma

Ultra Champion
0 Karma

SplunkTrust
SplunkTrust

Hi, I am not sure these HEC slides actually answer your question. Maybe you can explain what you want to do a little bit more detailed.
Take a look at this .conf presentation or take a look at this blog posting.

Skalli

0 Karma

Ultra Champion

@daniel333 - I'm also having trouble following what's going on. Specifically, if you could clarify...

  • "4 reference servers" - this is open to interpretation. What are you referring to exactly? Are these indexers, HEC forwarders, or something unrelated to Splunk
  • "behind an load balancer" - is it a HEC endpoint being loadbalanced or a traditional TCP receiver?
  • "same setup" - Do you mean the same "4 reference servers" or do you meant the collectd configuration should be the "same setup"
0 Karma