Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk hosting on a internal site

chirag3pillar
Explorer
‎02-02-2014 07:30 PM

Hi Support,
I am a production licensed user of Splunk. Though, we have done all our dashboard and report POC's in the staging environment, now the time has arrived to deploy in production.
For the same, we have two new high end servers being setup which will hold our indexers and search-heads. So, for example, we have 12 forwarders sending log data, it shall be received by the indexers for indexing and search head shall be searching. The IP's of the new servers can be accessed with like 10.15.0.2:8000 and 10.15.0.3:8000. Now comes my question -
1. Is it possible to host these sites by a single DNS and access through LB?
2. Can I access the sites not by typing the IPs:8000 but use DNS name resolution?
In staging, we were only testing stuff, that's why these questions have come in now
Please let me know or guide me to some documented feedback
Thanks
Regards, Chirag

Tags (3)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-02-2014 08:57 PM

There are really two aspects to this question.

First one is the question of configuring forwarders to reach your indexers using DNS. And, yes, you can absolutely do that. But, rather than an IP Load balancer like an F5, configure Splunk's auto-lb support in outputs.conf. You list each indexer in the output group, using its IP or (preferably) its DNS.

Second is configuring SplunkWeb for end-user access for the purpose of running searches. I assume this is your primary concern simply because of the "port 8000". You can of course use DNS to establish a domain name for your Splunk installation. But, load balancing splunkweb is harder because of the need for shared state between the search heads. Larger installations accomplish this through "search head pooling", which is a fairly advanced topic. You can begin to read on it at http://docs.splunk.com/Documentation/Splunk/6.0.1/DistSearch/Configuresearchheadpooling .

If you are new to Splunk, setting up search head pooling may not be trivial. You should read all the documentation on it once (perhaps twice), ask good questions of your SE or Splunk support when they come up, do a couple of practice configurations, and strongly consider a professional services engagement to help you accomplish this.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-03-2014 12:55 PM

I would separate the "DNS" and "Load Balancing" concerns. DNS is a non-issue. For LB, I think I would start with some questions. Do you absolutely NEED more than one search head? And if you do, do you NEED users spread out across the multiple heads? If you do, the right way to do it is with search head pooling. Pooling gives your search heads the ability to share state. You can do load balancing without pooling, but you will need to do sticky ports and have users understand that swapping search heads could be disruptive.

0 Karma
Reply

chirag3pillar
Explorer
‎02-02-2014 09:46 PM

Thanks for the input & feedback for the guidance to the documentation
2 more
-For Forwarders, i can do it through the internal IP's and don't need it through the DNS - so we are fine on that front
-Yes, second one is primarily not giving the users like 10.15.0.2:8000 to hit for queries but something like splunk.companyname.com which is set up on the LB and resolving DNS to 10.15.0.2:8000 or 10.15.0.3:8000. You say, that is possible.. right?
Also you meant that in case i want to set up the above, it would require search head pooling and then LB comes in. Is this understanding correct? lmk thks

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...