Getting Data In

How does universal forwarder load balancing work?

rongruspe
New Member

Given this in outputs.conf:

[tcpout: my_LB_indexers]
server=10.10.10.1:9997,10.10.10.2:9996,10.10.10.3:9995

It states in the documentation that "The universal forwarder will load balance between the three receivers listed. If one receiver goes down, the forwarder automatically switches to another one on the list."

Question is, what if 10.10.10.1:9997 is always up, does that mean it wont send the data to the other two indexers? and only then will it change indexer, once 10.10.10.1:9997 is down? Or it distributes the data to all three indexers regardless if one is up/down?

0 Karma
1 Solution

akanno
Communicator

First , a universal forwarder send the data to 10.10.10.1:9997.
30 second later , a universal forwarder send the data to 10.10.10.2:9996.
30 second later , a universal forwarder send the data to 10.10.10.3:9995.
30 second later , a universal forwarder send the data to 10.10.10.1:9997.

In short , every 30 seconds, a universal forwarder will switch to another receiver.

for more information
http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Setuploadbalancingd

View solution in original post

akanno
Communicator

First , a universal forwarder send the data to 10.10.10.1:9997.
30 second later , a universal forwarder send the data to 10.10.10.2:9996.
30 second later , a universal forwarder send the data to 10.10.10.3:9995.
30 second later , a universal forwarder send the data to 10.10.10.1:9997.

In short , every 30 seconds, a universal forwarder will switch to another receiver.

for more information
http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Setuploadbalancingd

rongruspe
New Member

right on! thanks! can't believe i missed to read that part

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...