<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic universal forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740771#M117754</link>
    <description>&lt;P&gt;Dear all,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have the following outputs.conf configuration:&lt;/P&gt;&lt;DIV class=""&gt;&lt;DIV class=""&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;[tcpout]&lt;/SPAN&gt; &lt;SPAN class=""&gt;defaultGroup&lt;/SPAN&gt; = my_indexers &lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class=""&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;[tcpout:my_indexers]&lt;/SPAN&gt; &lt;SPAN class=""&gt;server&lt;/SPAN&gt; = mysplunk_indexer1:&lt;SPAN class=""&gt;9997&lt;/SPAN&gt;, mysplunk_indexer2:&lt;SPAN class=""&gt;9997&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class=""&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;[tcpout-server://mysplunk_indexer1:9997]&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;/DIV&gt;&lt;P&gt;Could you please clarify the Universal Forwarder (UF) behavior in the event that mysplunk_indexer1 goes down?&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Will the UF continue sending data to both indexers despite mysplunk_indexer1 being down?&lt;/LI&gt;&lt;LI&gt;Or will the UF detect that mysplunk_indexer1 is unreachable and stop forwarding traffic to it?&lt;/LI&gt;&lt;/UL&gt;</description>
    <pubDate>Tue, 04 Mar 2025 14:38:03 GMT</pubDate>
    <dc:creator>hazem</dc:creator>
    <dc:date>2025-03-04T14:38:03Z</dc:date>
    <item>
      <title>universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740771#M117754</link>
      <description>&lt;P&gt;Dear all,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have the following outputs.conf configuration:&lt;/P&gt;&lt;DIV class=""&gt;&lt;DIV class=""&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;[tcpout]&lt;/SPAN&gt; &lt;SPAN class=""&gt;defaultGroup&lt;/SPAN&gt; = my_indexers &lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class=""&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;[tcpout:my_indexers]&lt;/SPAN&gt; &lt;SPAN class=""&gt;server&lt;/SPAN&gt; = mysplunk_indexer1:&lt;SPAN class=""&gt;9997&lt;/SPAN&gt;, mysplunk_indexer2:&lt;SPAN class=""&gt;9997&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;DIV class=""&gt;&lt;SPAN&gt;&lt;SPAN class=""&gt;[tcpout-server://mysplunk_indexer1:9997]&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/DIV&gt;&lt;DIV class=""&gt;&amp;nbsp;&lt;/DIV&gt;&lt;/DIV&gt;&lt;P&gt;Could you please clarify the Universal Forwarder (UF) behavior in the event that mysplunk_indexer1 goes down?&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Will the UF continue sending data to both indexers despite mysplunk_indexer1 being down?&lt;/LI&gt;&lt;LI&gt;Or will the UF detect that mysplunk_indexer1 is unreachable and stop forwarding traffic to it?&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Tue, 04 Mar 2025 14:38:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740771#M117754</guid>
      <dc:creator>hazem</dc:creator>
      <dc:date>2025-03-04T14:38:03Z</dc:date>
    </item>
    <item>
      <title>Re: universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740772#M117755</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267164"&gt;@hazem&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Will the UF continue sending data to both indexers?&lt;BR /&gt;&lt;/STRONG&gt;No, it will only send data to the available indexer (mysplunk_indexer2)&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Will the UF detect that mysplunk_indexer1 is unreachable?&lt;BR /&gt;&lt;/STRONG&gt;Yes, the UF will detect the unreachability and automatically adjust its forwarding strategy&lt;/P&gt;&lt;P&gt;Please let me know how you get on and consider adding karma to this or any other answer if it has helped.&lt;BR /&gt;Regards&lt;/P&gt;&lt;P&gt;Will&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 04 Mar 2025 14:42:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740772#M117755</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-03-04T14:42:36Z</dc:date>
    </item>
    <item>
      <title>Re: universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740773#M117756</link>
      <description>&lt;P&gt;In terms of further breakdown to the previous answer:&amp;nbsp;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;&lt;STRONG&gt;Automatic Failover:&lt;/STRONG&gt; If mysplunk_indexer1 goes down, the UF will detect the failure and automatically stop sending data to that indexer.&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Continued Forwarding to Available Indexers:&lt;/STRONG&gt; The UF will continue forwarding data to mysplunk_indexer2:9997. The forwarder does not stop forwarding entirely but rather distributes the load among the remaining available indexers.&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Retry Logic:&lt;/STRONG&gt; The UF will periodically attempt to reconnect to mysplunk_indexer1. Once it becomes available again, data will resume being sent to it.&lt;/LI&gt;&lt;LI&gt;&lt;STRONG&gt;Load Balancing (if applicable):&lt;/STRONG&gt; If both indexers were previously receiving traffic in a load-balanced manner (e.g., using autoLBFrequency), the UF would shift all the load to the remaining functional indexer.&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;Also, you might want to consider the following:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;If no indexers are available, events will be queued locally in memory (or on disk if useAck is enabled).&lt;/LI&gt;&lt;LI&gt;Ensure you configure proper connectionTimeout and autoLBFrequency settings to optimize failover behavior.&lt;/LI&gt;&lt;LI&gt;If useACK=true (for reliable delivery), the UF will queue events until an indexer acknowledges them.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Please let me know how you get on and consider adding karma to this or any other answer if it has helped.&lt;BR /&gt;Regards&lt;/P&gt;&lt;P&gt;Will&lt;/P&gt;</description>
      <pubDate>Tue, 04 Mar 2025 14:43:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740773#M117756</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-03-04T14:43:34Z</dc:date>
    </item>
    <item>
      <title>Re: universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740783#M117757</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267164"&gt;@hazem&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;at first the last row isn't mandatory, it's an old configuration and if you put it, you should add one row for each server.&lt;/P&gt;&lt;P&gt;Anyway, if you configure more than one Indexer, lofs are forwarded to all the Indexers changing destination every 30 seconds using a round robin algorithm for the load balancing.&lt;/P&gt;&lt;P&gt;Then, if an Indexers isn't available, the Forwarders tries with another one; id no Indexers are available it saves logs on a local cache and forward them when the connection is established again.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 04 Mar 2025 15:35:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/universal-forwarder/m-p/740783#M117757</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2025-03-04T15:35:38Z</dc:date>
    </item>
  </channel>
</rss>

