Good Morning,
We have the following concern. We currently have several universal forwarders sending information to the indexers, but we see that some servers have outdated information in the outputs.conf.
for example
The current configuration of our cluster is 6 indexer
[tcpout]
disabled = false
defaultGroup = indexCluster
[tcpout: indexCluster]
useACK = true
server = x.x.x.1: 9999, x.x.x.2: 9999, x.x.x.3: 9999, x.x.x.4: 9999, x.x.x.5: 9999, x.x.x.6: 9999
And certain servers have only some
[tcpout]
disabled = false
defaultGroup = indexCluster
[tcpout: indexCluster]
useACK = true
server = x.x.x.1: 9999, x.x.x.2: 9999, x.x.x.3: 9999, x.x.x.4: 9999
1- Is there any problem if all the machines are not defined in the outputs.conf?
2- We see an overload in some indexer, will it be because all the indexers in our universal forwarder are not defined?
3- When the UF sends information to the cluster, it will be sent by the first IP that establishes communication or the cluster assigns which machine will take this task.
4- What happens when the cluster has a lot of load in an indexer, for example indexer 1 (xxx1: 9999) . Does the cluster perform a balancing and designate another indexer for this task? But if my only forwarder has only that IP pointing, how will i know that the idx2, or idx3 are without less loads, if i do not have these ip defined (xxx2: 9999, xxx3: 9999) in the outputs.conf?
Any information is appreciated
regards
↧
