What is the best way to index data from a distributed location

I need to add a new data input from a mount, but I have a distributed architecture (one forwarder / search head and two indexers). Should the mount go to the search head / forwarder or to both indexes?

What is the recommended solution for this?

asked 20 Jul '10, 21:12

mctester
652●3●3●24
accept rate: 75%

One Answer:

oldest newest most voted

One of the goals of a distributed architecture such as yours is to separate data input (performed by the forwarder) from the indexing and searching activities (performed by the indexer).

I would recommend to mount the filesystem that holds the files you want as input on your forwarder, and configure a [monitor] stanza in inputs.conf to monitor those directories.

http://www.splunk.com/base/Documentation/latest/Admin/Monitorfilesanddirectories#Monitor_syntax_and_examples

On a different topic, you may want to host your search head on a different server than your forwarder so that if your forwarder goes down you would still be able to search your indexed data.

link

answered 20 Jul '10, 21:23

hexx ♦
7.6k●1●9●41
accept rate: 51%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

forwarder ×404
indexing ×327
distributed ×66

Asked: 20 Jul '10, 21:12

Seen: 598 times

Last updated: 20 Jul '10, 21:23

What is the best way to index data from a distributed location

Follow this question

Splunk Resources

Related questions