Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Reliability of a forwarder

kris2000
Explorer
‎06-17-2010 04:42 PM

Hello everyone ,

We are planning to have a Splunk setup as below:

LightForwarders -> Forwarders -> Indexers

Assuming that all the above instances are on different physical hosts -

When a forwarder goes down(either gracious or kill) is there a possibility that the data/events could be lost? This is assuming when all the values for parameters like blockOnCloning, dropEventsOnQueueFull, maxQueueSize are set for max reliability.

i.e., Is it possible that Light forwarder did send the data to forwarder but the forwarder had died before forwarding to indexer(s). At that point when forwarder comes back to life again can it recover from the data loss?

The above question might boil down to whether the forwarder's(listening on the network, not tailing a local file) queue is persistent or not?

We have a '0' dataloss requirement can it be achieved with this setup with proper configuration on Splunk?

Thanks help,

-Kris

Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-17-2010 07:58 PM

There is currently no 0% data loss guarantee possible under all possible failure conditions, though we're actively working on that by adding an acknowledgment channel back to the forwarders.

Assuming only scheduled outages, as long as you have two indexers that you're sending to using autoLB lightweight forwarding, you can take down any system with no data loss.

Assuming you're reading from files, you can shut down forwarders at any time without loss, as we'll keep track of our location. For network inputs, a shut down forwarder cannot listen, so the implication is clear.

I'm not sure why you have a tier of forwarders here. Having that layer is typically detrimental to performance and manageability.

I wouldn't tune any of the parameters unless you have an elaborate deployment with cloning.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-17-2010 07:58 PM

There is currently no 0% data loss guarantee possible under all possible failure conditions, though we're actively working on that by adding an acknowledgment channel back to the forwarders.

Assuming only scheduled outages, as long as you have two indexers that you're sending to using autoLB lightweight forwarding, you can take down any system with no data loss.

Assuming you're reading from files, you can shut down forwarders at any time without loss, as we'll keep track of our location. For network inputs, a shut down forwarder cannot listen, so the implication is clear.

I'm not sure why you have a tier of forwarders here. Having that layer is typically detrimental to performance and manageability.

I wouldn't tune any of the parameters unless you have an elaborate deployment with cloning.

0 Karma
Reply
Solved! Jump to solution

kris2000
Explorer
‎06-18-2010 12:59 PM

Stephen,

  Thanks for your clear response. Appreciate it!!

Kris

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...