Getting Data In

Load balancing & failover between two heavy forwarders

darshan_singh01
Path Finder

Hi ,

My Splunk architecture is like this

  1. I have two data centers (DC) and one each heavy forwarder in them .In each DC all the servers are forwarding the logs to heavy forwarder of the same DC via universal forwarders .
  2. both the respective heavy forwarders are sending logs further to indexers .

Now I have the below query related to heavy forwarders ,load balancing .

  1. In case of failure of heavy forwarder of one data center ,I want all my universal forwarders directly starts polling to the other heavy forwarder .
  2. I am aware of that we can put the ip addresses of both the heavy forwarders in output.conf file of universal forwarder however how does it make sure that universal forwarder sends logs to the heavy forwarder of its own DC only in case of normal operation .Also how in case of failure of one Heavy forwarder it will send logs to the second heavy forwarder without making any config change ?

chaker
Contributor

You could provision a new HF at each site an cluster them using
http://www.linux-ha.org/wiki/Main_Page

You could also use the Gemini Splunk Appliance which contains a HA feature that can be used at the HF tier.

0 Karma

bandit
Motivator

My understanding is that this feature is not in Splunk (only automatic load balancing is available) and you would have to use something along the lines of a Load Balancer or 3DNS to assign a virtual host/ip with failover rules.

Hmm... wondering if it would work if you set autoLBFrequency to an extremely high number? i.e. 5 years in seconds 🙂

autoLBFrequency =

I don't see a maximum value stated in the outputs.conf documentation.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

bandit
Motivator

Splunk Dev, please add failover feature!

0 Karma

vince2010091
Path Finder

i'm voting for this feature too ! 🙂

0 Karma

bseader
Explorer

Please??
Me 2

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...