Hi Experts and Splunkers,
We have an existing Splunk environment which consists of:
- 3 x clustered Search Heads
- 3 x clustered Indexers
- 1 x heavy forwarder which has several add-ons (like DB conn, AWS Add-on) and also exposes HEC endpoint
- Other servers for other functions (like deployer, cluster master, license master etc)
We have been asked by our client to implement a redundancy also in the heavy forwarder as now it is a single point of failure.
More specifically, we would like to have 2 HF servers for high availability purpose - ideally Active-Active like IDX and SH.
Through our our research and reading through Splunk docs and answers, we understand we can set-up multiple HF servers without having to worry about data duplication for the inbound data (such as inbound data from UF with autoLB, inbound data via HEC with loadbalancer).
How can we manage the data the add-ons in the HF servers are pulling from the source system, such as DB connect and AWS-addon? We feel we will end up having a duplicated data if we set-up 2 HF servers (active-active) on which we install a same set of add-ons?
Thanks for your input in advance!
↧