Indexing data into Splunk Remotely
Data can reside anywhere and Splunk recognizes that fact by providing the concept of forwarders. The Splunk Forwarder will collect data locally and send it to a central Splunk indexer which may reside in a remote location. One of the great advantages of this approach is that forwarders maintain an internal index for where they left off when sending data. If for some reason the Splunk Indexer has to be taken offline, the forwarder can resume its task after the indexer is brought back up. Another advantage to forwarders is that they can load balance delivery to multiple indexers. Even a Splunk Light Forwarder (a forwarder that consumes minimal CPU resources and network bandwidth) can participate in an auto load…
Indexing Events Delivered by Multicast
Although the title of this entry says indexing events delivered by multicast, the first thing I need to point out is not to do it. If you are indexing log type events, it is not a good idea to multicast this data to all machines on the LAN just to have one Splunk indexer that is listening for it to index it. Since most of the machines on the LAN won’t be interested in this data, It would be a waste of network resources, not to mention potentially unreliable.
Having said that, there may be cases where indexing events, such as control data, that are delivered via multicast may be useful. For instance, application servers in a cluster often are designed…
