Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can a "redundancy" forwarder be triggered to send logs if the primary forwarder is down?

dineshp
Explorer
‎08-30-2017 02:55 PM

Hi,
Is it possible to configure the indexer to index logs from one forwarder only (say forwarder 1) and if logs from "forwarder 1" stops, start indexing logs from "forwarder 2"

At the moment, we have two universal forwarders (for redundancy purpose) sending same data to one indexer. So we are consuming twice as much the licence. Is there a way to remove duplicate logs before it gets indexed / or listen to one forwarder at a time.

Many Thanks

0 Karma
Reply

ddrillic
Ultra Champion
‎08-30-2017 05:54 PM

Interesting perspective from @maciep at Is there a way to configure high availability for Splunk Forwarders, so if one is down, another will...

He said -

-- Before my time here we had something kind of similar in active/inactive state. It was actually two syslog servers. Both servers would get the same data in the same folders/files but only one would have the forwarder running at any given time. The trick though was to put the fishbucket on a mount point and then symlink it on both servers from the normal fishbucket location.

So the failover scenario was still manual - meaning we had to start up splunk on the backup server. But when it started, it was using the same fishbucket as primary so it knew where to start reading files from.

I'm not sure how good of a solution that was but it could be an option for you. As long as the forwarders are reading from the same place and share a fishbucket, I guess it would work?

In general though, we don't worry much about HA for forwarders. We have monitoring in place to start splunk if it stops and we get a daily report (from the Deployment Monitor app) of forwarders that haven't checked in to our deployment server. So typically we can address stopped forwarders before the data rolls.

Hope that helps a little

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-30-2017 04:10 PM

No, and you shouldn't need to be doing this. First of all, your two forwarder instances know nothing about each other wrt where they are in the forwarding process (they have separate _fishbucket indices), so you will have no assurances about data accuracy/completeness.
Forwarders typically don't just quit, so why don't you put a process in place that monitors the forwarder process on the host system and restarts it if it goes down?

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...