I'm at a client that is interested in knowing the abilities of Splunk to work behind load balancers.
Are these assumptions correct? I would appreciate any other knowledge on this topic!
BTW, Splunk now has search head pooling - this addresses the problem of replicating local state. BUT the remaining problems still exist and are significant reasons to NOT use load balancers for any data inbound to an indexer.
You may want to consult our sales team as they can setup time with an engineer to help directly answer these types of questions.
Traditional load balancing with multiple search heads will work for search queries. You would need to make sure the session is "sticky". However, if you want to retain your user preferences between search heads there are some known limitations. A Splunk technical person should be directly consulted if you decide to go down this road. Items such as saved searches and reports, require synchronization between the search heads.
Load balancing a network input for most use cases should work fine. This would include syslog or similar input.
Using a Splunk Forwarder to load balance between indexers is preferred. Advantages include access to metrics, queueing of data, and input tracking.
Does Splunk have any recommendations and/or config samples for load balancers should one be required?