Getting Data In

Can the Universal Forwarder send data to a second indexer as a failover after a first indexer went down?

cmonig
Explorer

Hello,

is it possible to set up a Universal Forwarder in such a way that it uses one indexer, and will try to send it's data to a second configured indexer only when the first one is no longer available?

I generally need to only use one indexer. I do not want load balancing for now.
And I do not need/want to clone my data, for license reasons.

Thanks,

Christoph

Tags (1)
1 Solution

kristian_kolb
Ultra Champion

To the best of my knowledge there is no out-of-the-box solution for this.

Perhaps you can make it work through some DNS trickery or have local script modifying the hosts file of the operating system. Maybe.

If you have the extra hardware standing by, why not use both?


UPDATE:

Well, I actually realized that it might be as simple as setting the AutoLBFrequency in outputs.conf on the forwarder to a VERY high value (billions). Then the forwarder should not switch to the alternate indexer unless the primary goes down.

Unfortunately, the forwarder would not switch back automatically when the primary is available again. You'd have to manually restart the alternate indexer, thereby terminating the sessions, which would cause the forwarders to return to the primary indexer.

This is a pretty weird approach, since you still need to have the alternate indexer up-and-running (or at least in hot standby) at all times.

/k

View solution in original post

hliu_splunk
Splunk Employee
Splunk Employee

this is officially supported in splunk 6.6.0.

0 Karma

kristian_kolb
Ultra Champion

To the best of my knowledge there is no out-of-the-box solution for this.

Perhaps you can make it work through some DNS trickery or have local script modifying the hosts file of the operating system. Maybe.

If you have the extra hardware standing by, why not use both?


UPDATE:

Well, I actually realized that it might be as simple as setting the AutoLBFrequency in outputs.conf on the forwarder to a VERY high value (billions). Then the forwarder should not switch to the alternate indexer unless the primary goes down.

Unfortunately, the forwarder would not switch back automatically when the primary is available again. You'd have to manually restart the alternate indexer, thereby terminating the sessions, which would cause the forwarders to return to the primary indexer.

This is a pretty weird approach, since you still need to have the alternate indexer up-and-running (or at least in hot standby) at all times.

/k

kristian_kolb
Ultra Champion

Glad it helped, even though I'm a bit curious to the reasons for the requirement.

cmonig
Explorer

Thank you! This is indeed weird but interesting, and might actually work for me. Thank you for sharing your insight!
:-)

kristian_kolb
Ultra Champion

see update above

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...