Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data Replication/Cloning for HA architectures

Damien_Dallimor
Ultra Champion
‎07-27-2011 04:00 AM

Using Splunk functionality, I see that you can enable data cloning/replication either by:

a) configuring a forwarder to load balance over indexers in a primary cluster and also clone data to a indexers in a mirrored cluster

b) configuring the primary indexer cluster to replicate data to a mirrored indexer cluster

On the surface of things, I can't really see any glaringly major differences in either approach.

Any advice on the recommended approach would be appreciated.

DD.

Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎02-20-2013 03:22 PM

As of Splunk 5.0, the recommended approach is Index Replication.

More info

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Aboutclusters

0 Karma
Reply

Glenn
Builder
‎10-13-2011 05:38 AM

Benefits of B:

  • It ensures that datasets on primary and mirrored indexers are identical (if one indexer goes down in cloning situation, it may miss events while the other continues to accept them).
  • Moves extra resource usage (network traffic, cpu cycles) due to dealing with HA from the forwarder (where you probably don't want to interfere with your apps' performance) to the indexer.
  • You have the option to tweak what is and isn't forwarded between the primary and mirrored indexers if you want to for some reason. Option A is just a blind clone.
  • Probably some other reasons I don't know about! I know for a fact that HA using autoLB on forwarders and then forwarding data from the indexer(s) is now the official recommendation over the old recommendation of using cloning on the forwarders (according to our Splunk consultants and workshops at a SplunkLive event).
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...