Planning redundancy
The term redundancy can mean different things, depending on your concern. Splunk has features to help with some of these concerns but not others. In a nutshell, up to and including Version 4.3, Splunk is excellent at making sure data is captured but provides essentially no mechanism for reliably replicating data across multiple indexers. Splunk 5, not covered in this book, adds data replication features that can eliminate most of these concerns.
Indexer load balancing
Splunk forwarders are
responsible for load balancing across indexers. This is accomplished most simply by providing a list of indexers in outputs.conf, as shown in the following code:
[tcpout:nyc] server=nyc-splunk-index01:9997,nyc-splunk-index02:9997
If an indexer is unreachable, the forwarder will simply choose another indexer in the list. This scheme works very well and powers most Splunk deployments.
If the DNS entry returns multiple addresses, Splunk will balance between the addresses on the port specified...
