Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Set up load balancing

With load balancing, a forwarder distributes data across several receiving Splunk instances. Each receiver gets a portion of the total data, and together the receivers hold all the data. To then access the full set of forwarded data, set up distributed searching across all the receivers. For information on distributed search, see About distributed search in the Distributed Search manual.

Load balancing improves performance by letting forwarders send data to several receivers at once. In addition, its automatic switchover capability ensures resiliency in the face of machine outages. If a receiver goes down, the forwarder simply begins sending data to the next available receiver.

Load balancing can also be of use when getting data from network devices like routers. To handle syslog and other data generated across port 514, a single heavy forwarder can monitor port 514 and distribute the incoming data across several indexers.

When you implement load balancing between forwarders and receivers, you must use the functionality that comes with the forwarder. Do not use an external load balancer, as load balancers between forwarders and receivers does not work properly.

How load balancing works

A forwarder automatically routes data to different indexers based on a specified time interval that you can configure. For example, assume you have a load-balanced group consisting of three indexers: A, B, and C. At some specified interval, such as every 30 seconds, the forwarder switches the data stream to another indexer in the group, selected at random. So, the forwarder might switch from indexer B to indexer A to indexer C, and so on. If one indexer is down, the forwarder immediately switches to another.

To expand on this a bit, there is a data stream for each of the inputs that the forwarder is configured to monitor. The forwarder determines if it is safe for a data stream to switch to another indexer. Then, at the specified interval, it switches the data stream to the newly selected indexer. If it cannot switch the data stream to the new indexer safely, it keeps the connection to the previous indexer open and continues to send the data stream until it has been safely sent.

Universal forwarders have a slight disadvantage in that they can't switch indexers when monitoring TCP network streams of data unless they encounter an End of File (EOF) marker in the stream or an indexer goes down. When this happens, the universal forwarder switches to the next indexer in the list. Because the universal forwarder does not parse the data and identify event boundaries before forwarding (unlike a heavy forwarder), it has no way of knowing when it's safe to switch to the next indexer unless it receives an EOF.

This diagram shows a typical load-balancing scenario, in which three forwarders are sending load-balanced data across a set of two receiving indexers:

30 admin13 forwardreceive-balance 60.png

Targets for load balancing

When you configure the set of target receivers, you can employ either DNS or static lists.

DNS lists provide greater flexibility and simplified scale-up, particularly for large deployments. Through DNS, you can change the set of receivers without needing to re-edit outputs.conf on each forwarder.

The main advantage of a static list is that it allows you to specify a different port for each receiver. This is useful if you need to perform load balancing across multiple receivers running on a single host. Each receiver can listen on a separate port.

Static list target

To use a static list for the target, specify each of the receivers in the target group [tcpout] stanza in the forwarder outputs.conf file. In the following example, the target group consists of three receivers, specified by IP address and receiver port number:

[tcpout: my_LB_indexers]

The universal forwarder will balance load between the three receivers listed. If one receiver goes down, the forwarder automatically switches to another one on the list.

DNS list target

To use a DNS list, edit outputs.conf on the forwarder to specify a single host in the target group [tcpout] stanza. For example:


In your DNS server, create a DNS A record for each host IP address, referencing the server name you specified in outputs.conf. For example:

splunkreceiver.mycompany.com   A
splunkreceiver.mycompany.com   A
splunkreceiver.mycompany.com   A

The forwarder will use the DNS list to balance loads, sending data in intervals, switching among the receivers specified. If a receiver is not available, the forwarder skips it and sends data to another one on the list.

If you have a topology with many forwarders, the DNS list method lets you update the set of receivers by making changes in just a single location, without touching the outputs.conf files on the forwarders.

Configure load balancing for horizontal scaling

To configure load balancing, first determine your needs, particularly your horizontal scaling and failover requirements. Then develop a topology based on those needs, possibly including multiple forwarders, as well as receivers and a search head to search across the receivers.

Assuming a topology of three forwarders and three receivers, set up DNS-based load balancing with these steps:

1. Install and enable a set of three Splunk Enterprise instances as receivers. This example uses a DNS list to designate the receivers, so they must all listen on the same port. For example, if the port is 9997, enable each receiver by going to its $SPLUNK_HOME/bin/ location and using this CLI command:

./splunk enable listen 9997 -auth <username>:<password>

2. Install the set of forwarders.

3. Set up a DNS list with an A record for each receiver's IP address:

splunkreceiver.mycompany.com   A
splunkreceiver.mycompany.com   A
splunkreceiver.mycompany.com   A

4. Create a single outputs.conf file for use by all the forwarders. This one specifies the DNS server name used in the DNS list and the port the receivers are listening on:



This outputs.conf file uses the autoLBFrequency attribute to set a load-balance frequency of 40 seconds. Every 40 seconds, the forwarders will switch to another receiver. The default frequency, which rarely needs changing, is 30 seconds.

5. Distribute the outputs.conf file to all the forwarders. You can use the deployment server to handle the distribution.

The steps are similar if you're using a static list instead of DNS.

Specify load balancing from the CLI

You can also use the CLI to specify load balancing. You do this when you start forwarding activity to a set of receivers, using this syntax:

./splunk add forward-server <host>:<port> -method autobalance

where <host>:<port> is the host and receiver port of the receiver.

This example creates a load-balanced group of four receivers:

./splunk add forward-server indexer1:9997 -method autobalance
./splunk add forward-server indexer2:9997 -method autobalance
./splunk add forward-server indexer3:9997 -method autobalance
./splunk add forward-server indexer4:9997 -method autobalance
Last modified on 06 April, 2017
Upgrade heavy and light forwarders
Configure a forwarder to use a SOCKS proxy

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters