Hi All,
I am currently designing a deployment with two Splunk "pods" in different data centres, each with two Indexers. For the purposes of fault-tolerance and HA, each Indexer performs an index-and-forward of the data it receives to the corresponding Indexer at the other pod.
e.g. idxA-pod1 indexes it's data and forwards it to idxA-pod2 and so on.
In the event of failure of an indexer, say idxA-pod2, once this Indexer is restored will idxA-pod1 send the data it received while the other Indexer was down? I imagine so, but need to understand the behavior.
Thanks in advance 🙂
I have a similar setup, but siteA-index1 is configured to auto load balance across the 2 indexers in siteB, as is siteA-index1
At siteB, both indexers are configured to auto LB across both indexers at site A.
This way you can have an indexer down per site without impacting availability (which is great for maintenance).
With 4.3.3 at least, i found that if the forwarding buffers filled, the forwarding-indexer itself would pause indexing.
Yes, forwarders will keep the data that they have not sent and resend it.