Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Small Setup DR

mbalzarini
New Member
‎02-07-2014 02:12 PM

We have a very small install of a single Splunk 6.01 server. We are required to have DR capability for all of our production servers and I wanted to see what the best way to do this. Would the reccomended route be to setup a Forwarder from our Prod server to the DR server and run with the "indexAndForward = true" setting? Thank you for your assistance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2014 02:30 AM

There are several approaches, depending on what you need in which disaster scenario.

Your idea should work for mirroring data that arrives at your prod server while it is available, but what happens once the prod server dies? It loses its data, no problem - that was mirrored to the DR server... but now the DR server stops getting data because the prod server is gone. Whether that's a problem for you or not depends on your risk management requirements.

As an alternative, you can configure your forwarders to clone the data to prod and DR, so even when the prod server dies the DR server is still getting data.

As another alternative, you can set up a small Splunk cluster. That won't impact your license, but only protect against small-scale failures of single machines - not against a major datacenter disaster.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2014 02:30 AM

There are several approaches, depending on what you need in which disaster scenario.

Your idea should work for mirroring data that arrives at your prod server while it is available, but what happens once the prod server dies? It loses its data, no problem - that was mirrored to the DR server... but now the DR server stops getting data because the prod server is gone. Whether that's a problem for you or not depends on your risk management requirements.

As an alternative, you can configure your forwarders to clone the data to prod and DR, so even when the prod server dies the DR server is still getting data.

As another alternative, you can set up a small Splunk cluster. That won't impact your license, but only protect against small-scale failures of single machines - not against a major datacenter disaster.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...