Hey all!
I am trying to understand splunk a little better. I am trying to setup a search head and two indexers. I have all that configured (well everything is added into the search head). Now I am wondering, aside from the splunk forwarder handling automatic load balancing between the two index nodes, what is the best practice on getting data into the indexes? Put more clearly, say i want to collect rsyslogd data on port 514. Do I need to configure each indexer, and then make sure that I am alternating which 'nix boxes i am assigning to which indexer? Or do I need to configure the search head as a forwarder, use that as a single point of entry for everything (how well would that scale?) and then let the splunk forwarder LB it between the two indexers? Do i need to create the indexes manually on each index node?
Lots of questions, like I mentioned I am new to all this.
Thanks!
Zach
... View more