Deployment Architecture

splunk indexer restart network

sympatiko
Communicator

Hi SPlunkers,

Good day! I have a RF=3 and SF=3. I also have a forwarder which is doing the load balance forwarding of logs in 3 indexers. I'm going to update the ip of 3 indexers, if I do it 1 by 1 is it better if I stop the forwarder splunk then stop splunk indexer then change ip?

Thanks,

Tags (2)
0 Karma

sympatiko
Communicator

Hi,

Thanks for all your response. My only concern here is if the forwarder cannot see one of my 3 indexers does it forward the logs to the available indexer?

Thanks

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you have acknowledge (useAck) enabled on forwarder then yes it will send to another indexer.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You're best approach would be as follows:

1) Add the new addresses to the outputs.conf on your HF layer. If the HF cannot connect to an IP, it will roll to the next one without data being lost.
2) Change your indexer's IP Addresses one at a time, bring up the IP and make sure your Splunk input is listening.
3) Repeat for all the indexers
4) Validate that the HF is connecting to all ( $splunk_home$/bin/splunk list forward-server)
5) Remove the old IP's from the outputs.conf on the HF.

0 Karma

hcbomb
Path Finder

This is a bit more of a networking question than necessarily a Splunk administration question.

Are you using straight up IPs in your output.conf? I would suggest using hostnames and editing your A records and including @harsmarvania57's input as well on the server side. Or instead use a VIP or A record pointing to multiple IPs of your indexers. His advice probably reduces the most friction possible. My advice adds to further his.

Let us know your decision/progress!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I will suggest add one more interface on the server with new IP. Change all forwarders configuration to send data on new IP. After that remove old IP interface from server. But you need to reboot the server when you add or remove new interface.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...