Re: High availability setup - daily indexed volume

mikehibbert · ‎10-04-2012

We have a set-up where all of the forwarders send data to indexer A and indexer A forwards this on to indexer B, hence giving us a high (data query) availability solution.

What confuses me is that the indexed data on indexer B is double that on A... This doesn't seem to make sense to me, it should be identical?

Indexer B is also above the HA license quota, yet never violates. Obviously this is something to do with the HA license, but since I don't understand the mechanics of this thoroughly I'm not sure exactly why it doesn't violate.

Please could someone shed some light?!

Damien_Dallimor · ‎10-04-2012

What confuses me is that the indexed data on indexer B is double that on A

Perhaps as well as Indexer A cloning on to Indexer B your forwarders are also cloning to Indexer B ?? Just taking a guess in the dark, but something to check for anyway.

Drainy · ‎11-29-2012

hmm, it was my first thought to. Probably a good idea to double check the config on the forwarders in case someone has created a group and popped both indexers into it

mikehibbert · ‎11-29-2012

I don't think this is the case, as the solution document says agents will need to be reconfigured to "point" to the other indexer in case of failure... Good idea though!

High availability setup - daily indexed volume

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!