Hi,
I have two different types for outputs.conf files on different forwarders.
on some forwarders we have indexer-discovery enabled like -
[indexer_discovery:master1]
pass4SymmKey = mykey
master_uri = my-master-node.com
logs from such servers, are covered under "myIndex1" with repFactor as
[myIndex1]
repfactor = auto
Above Configurations works fine.
For Other set of Forwarder servers, we do not have indexer-discovery enabled. And outputs.conf looks like-
[tcpout]
defaultGroup = indexer1,indexer2,indexer3,indexer4
[tcpout:indexer1]
server = 10.20.30.41:9997
[tcpout:indexer2]
server = 10.20.30.42:9997
[tcpout:indexer3]
server = 10.20.30.43:9997
[tcpout:indexer4]
server = 10.20.30.44:9997
logs from such servers, are covered under "myIndex2".
When i set "repfactor = auto" for "myIndex2", on Search Head, i can see 4 events for each logs.
What Configuration should i set for "myIndex2" when i am specifically sending logs to all of the indexer servers of Indexer Cluster.
It is not possible for me to send logs to master uri here. And i cant just send logs to only one of the indexer as i want to keep things fail safe.
Send the logs to one indexer and let replication make it fail-safe. That is what replication is for.
I get your point but, i dont want to loose the realtime data (in case, that one indexer node is down)
Splunk is supporting a critical infrastructure and there are scenarios when multiple servers are taken down for Patching and OS related activities.
Sending data to one indexer can impact us.
Sending data to four indexers also impacts you. It's four times the license usage and you lose out on the security replication offers.
Consider setting the useACK = true
setting in inputs.conf. This will ensure the data is indexed before the forwarder moves on.
Also consider using indexer discovery. This is where the cluster master tells the forwarders which indexer to use and is helpful when an indexer is down.
Don't take down multiple Splunk servers at the same time, especially those in the same tier (indexer, search head, etc.). When an indexer is brought back on-line, allow time for rebalancing to occur before bringing down the next indexer.