Planning redundancy
The term redundancy can mean different things, depending on your concern. Splunk has features to help with some of these concerns but not others. In a nutshell, up to and including Version 4.3, Splunk is excellent at making sure data is captured but provides essentially no mechanism for reliably replicating data across multiple indexers. Splunk 5, not covered in this book, adds data replication features that can eliminate most of these concerns.
Indexer load balancing
Splunk forwarders are
responsible for load balancing across indexers. This is accomplished most simply by providing a list of indexers in outputs.conf, as shown in the following code:
[tcpout:nyc] server=nyc-splunk-index01:9997,nyc-splunk-index02:9997
If an indexer ...
Get Implementing Splunk: Big Data Reporting and Development for Operational Intelligence now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
