Hi,
I'm wondering how load balancing in Splunk Cloud work.
When i install the splunkcloud.uf app on a local forwarder, the outputs.conf that is created in the app looks like so:
[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-<id>.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-<id>.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = <password>
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true
Notice that there is only one server listed. When I search for "splunk_server" in my Splunk Cloud it clearly says I have five indexers. Why aren't all those listed behind "server" as normal when using load balancing? I know there is something called the indexer discovery feature, but then I guess I would see a stanza for that in my outputs.conf. Could someone explain this to me?
This configuration is for a single instance of Splunk cloud, not a clustered instance. Clustered instances will have a input-idxXX.instancename.splunkcloud.com.
Single instance stacks, *.cloud.splunk.com, do not have multiple indexers or search heads.
This configuration is for a single instance of Splunk cloud, not a clustered instance. Clustered instances will have a input-idxXX.instancename.splunkcloud.com.
Single instance stacks, *.cloud.splunk.com, do not have multiple indexers or search heads.
Thanks for your fast answer. So the fact that it says id.cloud.indicates that there's only one indexer? If so, why are there five servers showing in my Splunk Cloud GUI? These five show when i search for * with value, count and percent.
idx2.<customer>.splunkcloud.com 383 30.763%
idx3.<customer>.splunkcloud.com 292 23.454%
idx4.<customer>.splunkcloud.com 203 16.305%
idx1.<customer>.splunkcloud.com 199 15.984%
idx5.<customer>.splunkcloud.com 168 13.494%
It looks like either your Cloud UF App is from a single instance *.cloud.splunk.com trial you have done. Or perhaps the one from your clustered stack isnt correct.
Did you install the app from your *.splunkcloud.com instance after using your *.cloud.splunk.com instance? You have to update this, it doesnt automatically change.
You are absolutely right! The app I was looking at was from a former Splunk Cloud Trial instance. There is another app for the new prod-instance of Splunk Cloud which has all the servers listed. That surely clears things up. Thanks!