Databases Reference
In-Depth Information
The disadvantages of this approach include:
• The forwarder must be installed on each server. If you have a system for
distributing software already, this is not a problem. We will discuss strategies
under the
Deploying the Splunk binary
section.
• The forwarder process must have read rights to all logs to be indexed.
This is usually not a problem but does require some planning.
This typical deployment looks like the following figure:
If your log volume exceeds 100 gigabytes of logs produced each day, you need
to think about multiple indexers. We will talk about this further in the
Sizing
indexers
section.
Monitoring logs on a shared drive
Some customers configure all servers to write their logs to a network share,
NFS or otherwise. This setup can be made to work, but it is not ideal.
The advantages of this approach include:
• A forwarder does not need to be installed on each server that is writing its
logs to the share.
• Only the Splunk instance reading these logs needs rights to the logs.
The disadvantages of this approach include:
• The network share can become overloaded and can become a bottleneck.
• If a single file has more than a few megabytes of unindexed data, the Splunk
process will only read this one log until all data is indexed. If there are
multiple indexers in play, only one indexer will be receiving data from this
forwarder. In a busy environment, the forwarder may fall behind.
• Multiple Splunk forwarder processes do not share information about what
files have been read. This makes it very difficult to manage a failover for
each forwarder process without a SAN.
Search WWH ::
Custom Search