Setting up a Splunk indexer cluster consists of the following:
idx01 : indexer mode: master
idx02 : indexer mode: slave
idx03 : indexer mode: slave
idx04 : indexer mode: slave
sh01 : search head
sh02 : search head
sh03 : search head
uf01 : universal forwarder
uf02 : universal forwarder
# cat ../etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout-server://idx01:9997]
[tcpout-server://idx02:9997]
[tcpout-server://idx03:9997]
[tcpout-server://idx04:9997]
[tcpout:default-autolb-group]
disabled = false
server = idx01:9997,idx02:9997,idx03:9997,idx04:9997
# ./splunk list forward-server
Active forwards:
idx02:9997
Configured but inactive forwards:
idx01:9997
idx03:9997
idx04:9997
What is the best practice here?
1. Should 'universal forwarder' forward to idx01 (master-node) only and let master-node do the auto-load-balancing to all slave indexers?
2. Should 'universal forwarder' forward to all indexers (idx01, idx02, idx03, idx04) and let the universal forwarder does the auto-load-balancing?
3. Should 'universal forwarder' NOT forward to master-node(idx01), but to other slave indexers (idx02, idx03, idx04) and let the universal forwarder do the auto-load-balancing?
or something else?
Thank you.
↧
Should I configure a universal forwarder to forward data to the master node in an indexer cluster?
↧