Distributed Splunk enhancements
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Distributed Splunk enhancements
Deploy applications, binaries, XML files
Splunk has extended the Deployment Server to allow it to push almost any file type to other Splunk instances; for example .gz, .zip, .xml files can be remotely deployed. Users can now define the deployment file location - which can be local or remote - to dynamic synchronization the deployment server source files. Also, extended server class semantics allow server definition overlap within the server class topology.
Learn more about deployment server in the Admin Manual.
Enhanced Splunk data routing
Splunk adds new support for data routing to a user defined destination via UDP or TCP based syslog out. syslog facility and priority settings for TCP are customizable to provide superior flexibility and control in syslog routing. Any indexed data format can be routed out to another system – either Splunk or third party syslog listeners – either with or without Splunk processing and at the priority you choose. Additional protections allow for packet-level tolerance or intolerance of non-conforming syslog inputs prior to routing
Learn more about routing data based on syslog facility and priority in the Admin Manual.
Automatic load balancing
Auto load balancing allows dynamic connections and dynamic fail over from Splunk forwarders to Splunk indexer. Auto load balancing provides improved reliability of the forwarder and index mechanisms across a distributed topology. Multiple routing algorithm types are supported, including round robin and least-recently-used. Enterprise customers can also leverage more sophisticated DNS load balancing with full FQDN name resolution. New load balancing features include:
- dynamic reconnection and retry
- selectable routing algorithm controls
- metrics for potential notification(s)
- enhanced configuration controls
- FQDN server name resolution
Learn more about automatic load balancing in the Admin Manual.
Bandwidth compression
The bandwidth usage of Splunk forwarding is significantly reduced through new network bandwidth compression capabilities that are fully administrator configurable.
For details on SSL compression for distributed deployments, see "Secure access to your Splunk server with SSL" in the Admin Manula and check out the SSLConfig setting in server.conf.
For details on SSL compression for forwarded data, see "Use SSL encryption between forwarders and receivers" in the Admin Manual.
Benefits
Splunk users can easily optimize their production environments by implementing the many distributed system Splunk enhancements. Splunk now supports improved networking throughput, Splunk acting as a proxy for filtering and routing syslog data, Splunk load balances network access to indexers, and Splunk can deploy new file types to ease application distribution.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.