Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reliability of a forwarder

kris2000
Explorer
‎06-17-2010 04:42 PM

Hello everyone ,

We are planning to have a Splunk setup as below:

LightForwarders -> Forwarders -> Indexers

Assuming that all the above instances are on different physical hosts -

When a forwarder goes down(either gracious or kill) is there a possibility that the data/events could be lost? This is assuming when all the values for parameters like blockOnCloning, dropEventsOnQueueFull, maxQueueSize are set for max reliability.

i.e., Is it possible that Light forwarder did send the data to forwarder but the forwarder had died before forwarding to indexer(s). At that point when forwarder comes back to life again can it recover from the data loss?

The above question might boil down to whether the forwarder's(listening on the network, not tailing a local file) queue is persistent or not?

We have a '0' dataloss requirement can it be achieved with this setup with proper configuration on Splunk?

Thanks help,

-Kris

Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-17-2010 07:58 PM

There is currently no 0% data loss guarantee possible under all possible failure conditions, though we're actively working on that by adding an acknowledgment channel back to the forwarders.

Assuming only scheduled outages, as long as you have two indexers that you're sending to using autoLB lightweight forwarding, you can take down any system with no data loss.

Assuming you're reading from files, you can shut down forwarders at any time without loss, as we'll keep track of our location. For network inputs, a shut down forwarder cannot listen, so the implication is clear.

I'm not sure why you have a tier of forwarders here. Having that layer is typically detrimental to performance and manageability.

I wouldn't tune any of the parameters unless you have an elaborate deployment with cloning.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-17-2010 07:58 PM

There is currently no 0% data loss guarantee possible under all possible failure conditions, though we're actively working on that by adding an acknowledgment channel back to the forwarders.

Assuming only scheduled outages, as long as you have two indexers that you're sending to using autoLB lightweight forwarding, you can take down any system with no data loss.

Assuming you're reading from files, you can shut down forwarders at any time without loss, as we'll keep track of our location. For network inputs, a shut down forwarder cannot listen, so the implication is clear.

I'm not sure why you have a tier of forwarders here. Having that layer is typically detrimental to performance and manageability.

I wouldn't tune any of the parameters unless you have an elaborate deployment with cloning.

0 Karma
Reply
Solved! Jump to solution

kris2000
Explorer
‎06-18-2010 12:59 PM

Stephen,

  Thanks for your clear response. Appreciate it!!

Kris

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...