https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/630402#M108056 <P>Hi all,</P><P>Problem solved, finally. It was all jumbled on conf files (too many tests with too many confs).</P><P>Wiping out and starting anew did the trick.</P> Fri, 10 Feb 2023 07:09:08 GMT emallinger 2023-02-10T07:09:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595942#M104069 <P>Hi !</P> <P>I wonder how to correct the following behaviour.</P> <P>Here's my architecture :</P> <P>1 dns entry point load balancing between 2 forwarders on port 8088 for Http Event Collector (HEC).</P> <P>behind that 1 indexer (monoinstance).</P> <P>indexer ack activated for one collect serie (one index with one sourcetype).</P> <P>&nbsp;</P> <P>When sending event, an IdAck is answered back to check if the event is correctly received by the indexer.</P> <P>&nbsp;</P> <P>Problem :</P> <P>2 different events can have the same ackID !</P> <P>I suppose it is because of the load balancing and each ackID list is linked to each forwarder.</P> <P>As the query is balanced, I cannot know if I will be answerd be the fw1 or 2.</P> <P>&nbsp;</P> <P>Event1 is processed by fw1 with idAck = 7</P> <P>Event2 is processed by fw2 with idAck = 7 (also !!)</P> <P>&nbsp;</P> <P>When asking for indexing ack status for idAck7 : my query can be processed by fw1 or 2, but the answer cannot be meaningful because I don't know which event I'm asking about.</P> <P>&nbsp;</P> <P>How do we go around this behaviour ?</P> <P>Does this mean I can't load balance the entrypoint in front of the forwarder ? In this case, how am I supposed to allow high availability of the service ?</P> <P>&nbsp;</P> <P>Thank your a lot in advance for you insights</P> <P>&nbsp;</P> <P>Ema</P> Wed, 18 May 2022 15:11:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595942#M104069 emallinger 2022-05-18T15:11:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595962#M104070 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223411">@emallinger</a>&nbsp;- I believe AckID should be unique per forwarder.</P><P>&nbsp;</P><P>Or if I misunderstood your question, then maybe what you are looking for is channel ID. Please read about it here -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/AboutHECIDXAck" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/AboutHECIDXAck</A></P><P>&nbsp;</P><P>I hope this helps!!!</P> Fri, 29 Apr 2022 15:54:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595962#M104070 VatsalJagani 2022-04-29T15:54:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595964#M104071 <P>Hi,</P><P>I read that doc page and yes, ackId seems to be unique per forwarder.</P><P>I'm sending from one channel only to 2 fw via one load balancer.</P><P>How am I supposed to know which event the status of one ackId is refering to when I don't know where I'm going to end (hence which forwarder) ?</P><P>&nbsp;</P><P>How is resolved the need of High Availability for the endpoint (that's why I have a LB in front of my fw) with indexer ack ?</P><P>&nbsp;</P><P>Thanks,</P><P>Ema</P> Fri, 29 Apr 2022 16:01:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595964#M104071 emallinger 2022-04-29T16:01:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595967#M104073 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223411">@emallinger</a>&nbsp; - I think you need to try on both forwarders also because they are sitting behind a load balancer.</P> Fri, 29 Apr 2022 16:08:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/595967#M104073 VatsalJagani 2022-04-29T16:08:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/596119#M104094 <P>Hi,</P><P>Yes, but with 2 answers, how am I supposed to know which one is correct ?</P><P>I think it might be necessary to know which forwarder sent the ackId, in order to be able to identify the info I need.</P><P>Suppose I do.</P><P>Yet, I could keep asking the LB and never go back again to the forwarder which sent the ackID (hypothetically).</P><P>I don't think this reasonning can be used as a fix.</P><P>We might be missing some point in the "how to do that"..</P><P>Regards,</P><P>Ema</P> Mon, 02 May 2022 08:13:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/596119#M104094 emallinger 2022-05-02T08:13:36Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/596123#M104095 <P>Hi again,</P><P>use persistent session in the LB might be an option.</P><P>Was it tested that way ?</P><P>Thanks</P><P>Ema</P> Mon, 02 May 2022 09:01:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/596123#M104095 emallinger 2022-05-02T09:01:21Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/596247#M104119 <P>Hi,</P><P>Tested with cookie persistence and sticky persistence : could not make the thing work.</P><P>I do not know what's wrong.</P><P>There is not Server Hello sent to answer the Client Hello in any of the tries.</P><P>&nbsp;</P><P>I'm lost...</P><P>Any idea ?</P><P>Thanks !</P><P>Eglantine</P> Tue, 03 May 2022 12:46:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/596247#M104119 emallinger 2022-05-03T12:46:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/598259#M104374 <P>Hello,</P><P>I made some progress :&nbsp; in order to use persistence, the load balancer need to be able to read the flow.</P><P>So instead of puting the certificate on the forwarder, I put it on the load balancer.</P><P>At least, now curl to the load balancer works fine.</P><P>Except the connexion is rejected : I keep having this message :</P><P>&nbsp;</P><LI-CODE lang="markup">* SSL certificate verify ok. * OpenSSL SSL_write: Connexion ré-initialisée par le correspondant, errno 104 * Failed sending HTTP POST request * Connection #0 to host splunk-hec.test left intact curl: (55) OpenSSL SSL_write: Connexion ré-initialisée par le correspondant, errno 104</LI-CODE><P>&nbsp;</P><P>I'm lost as to how I'm supposed to configure the inputs.conf/server.conf on the forwarders.<BR /><BR /></P><P>Could'nt find any doc with examples about that, yet this is a validated HEC tier in splunk validated architecture documents.</P><P>Does anyone have a suggestion ?</P><P>Thanks in advance,</P><P>Ema</P> Wed, 18 May 2022 08:29:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/598259#M104374 emallinger 2022-05-18T08:29:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/630402#M108056 <P>Hi all,</P><P>Problem solved, finally. It was all jumbled on conf files (too many tests with too many confs).</P><P>Wiping out and starting anew did the trick.</P> Fri, 10 Feb 2023 07:09:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Load-Balanced-HEC-entrypoint-with-indexer-ack/m-p/630402#M108056 emallinger 2023-02-10T07:09:08Z