i have 4 region of splunk server and the architecture is
Uf(data from 20 location) ---> HF >>>>indexer .... search head
so if i add any new UF which is replacing old server. i need to change props.conf to route the data into correct indexer. which requires a restart the HF . during this time there is loss of some events and flooded of data to HF once it backs online.
can you please suggest best practice to overcome of missing events and flooded of data?
i dont have clustering...
↧