Deployment Architecture

How to switch between active/inactive forwarders when you have a cluster?

geantver0000
Engager

Hi,

When you have a Splunk forwarder on a server using Cluster (Active/Inactive), what can you do to Stop the Splunk forwarder on the server that is Inactive, and Start the forwarder on the Active when it is needed ?
I don't want to have duplicate data ...

Regards,

Steve

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

View solution in original post

0 Karma

ddrillic
Ultra Champion

@maciep spoke about in at Is there a way to configure high availability for Splunk Forwarders, so if one is down, another will...

He concluded by saying -

-- In general though, we don't worry much about HA for forwarders. We have monitoring in place to start splunk if it stops and we get a daily report (from the Deployment Monitor app) of forwarders that haven't checked in to our deployment server. So typically we can address stopped forwarders before the data rolls.

0 Karma

gcusello
SplunkTrust
SplunkTrust

How does your cluser run?
does it log only on the Active Server (Active/Passive) or logs on both the servers (Active/Active)?

If it logs only on Active server you don't have problems.
If if logs on both the servers it's strange because only one is active and anyway logs of Passive server are different than the other,
If logs are replicated between the two servers, you should find a way to identifly local logs from remote logs.

Bye.
Giuseppe

0 Karma

geantver0000
Engager

Hi Giuseppe,

For the moment , I have installed the forwarder on the actif, but I want also to do that on the Inactif.
And i know that I will receive data from both on Splunk .... so Duplicate data ...
Is there something to avoid this situation ?

Regards,
Steve

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi geantver0000,
if your target servers are Active/Passive, logs are written on only one of them at a time not in both the servers so you'll receive only one log, if you have both the forwarders active you'll continue to receive logs also after switching.
There could be a problem with Active/Active and clustered servers with replications of logs.
What's your situation?
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...