**What we are trying to do?**
Multiple Universal forwarders with different indexes forwarding data to a load balanced address. This load balanced address has two pool members (Heavy Forwarders). These Heavy Forwarders receive and forward the data onto the indexers/3rd party systems. These indexers are not clustered to save on storage and only certain indexes are hard configured to specific indexers. I realize we could use a replication factor of one.
**The question?**
How do the Heavy Forwarders know where to send indexes if specific indexes are only configure for specific indexers.?
**Diagram**
Universal Forwarder with index=test1 ------> splunktest.com (pool members: heavyforwarder1 && heavyforwarder2)
Universal Forwarder with index=test2 ------> splunktest.com (pool members: heavyforwarder1 && heavyforwarder2)
test1 is configured only on indexer1 && test2 is configured only on indexer2
What keeps the heavy forwarders from sending index=test1 data to indexer2?
Do we just need to use indexer clustering after all?
Thank You for your time
↧