Hi, is anyone doing this sort of configuration?
AIX HACMP cluster with shared storage, log file is on shared storage.
Active passive cluster so node A is active, B is standby.
Splunk tail watches logfiles on shared storage, shared storage active on A side.
A logs to splunk fine.
Now, if we were to fail over to B node, stop splunk on A as failover happens.
B starts up, and sees logs as "new", therefore logs duplicate records to splunk.
Is there a simple way to tell splunk to not read all historical data?
Is there a way to have a virtual splunk "instance" that can run on either node alongside the "actual" splunk instance for each node?
Any best practice for clustered environment with shared storage docs?
Thanks in advance 🙂
... View more