Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Arcitechture with HA for all components in a large deployment

jg91
Path Finder
‎04-29-2020 08:54 AM

Hello, dear Splunkers,
We want to deploy Splunk in our company and one of our important concerns is High Availability.
Would you please suggest me an architecture that covers HA for all Splunk components? My main concern is about UDP Syslogs from network devices. (we don't have any network load balancer device.)
In our initial plan, we are going to use indexer clustering and autoLB configuration on UFs, but we don't know how to handle UDP Syslog inputs, License Manager, and Deployment Server and other components high availability.
Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-29-2020 06:02 PM

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-29-2020 06:02 PM

its a pretty large question ....
you can use docs here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Deploy/Distributedoverview
and read about HA and how to handle ...
in general, for License Master and Deployment Server, i will recommend to check if you really need HA, as the environemnt can function well even when or if they are down for a long time (aprox 72 hours) which imho is enough time to bring them back up.
as for syslog UDP, the data sources are (almost) always a single point of failure, you can build a syslog cluster but in most cases itll require a load balancer, which you said you dont have.
Will recommend to call your Splunk SE or hire some Splunk PS / Architect to help you with your task.
I am not sure this forum has enough space to answer all that as there are more questions (to you) and dialog required imho

hope it helps a little

Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...