https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490684#M8317 <P>Hi @spodda01da,<BR /> Heavy Forwarders are useful in these situations:</P> <UL> <LI>if you have to ingest syslogs,</LI> <LI>if you have a part of your Universal Forwarders in a separate network and you don't want to open all the firewall routes between targets and Indexers,</LI> <LI>if you have a great parsing job and you want to reduce load on Indexers.</LI> </UL> <P>For my experience, only the first two options really justify the use of an Heavy Forwarder, for the third, I prefer to add more resources to Indexers or ad an Indexer then add an Heavy Forwearder.</P> <P>In addition remember that, when you decide to use an Heavy Forwarder, you have always to duplicate it to avoid a Single Points of Failure and you have to carefully configure them to avoid bottlenecks.</P> <P>Ciao.<BR /> Giuseppe</P> Mon, 18 Nov 2019 08:07:07 GMT gcusello 2019-11-18T08:07:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490682#M8315 <P>Hi All,</P> <P>I have inherited Splunk Enterprise in my company which includes 3 Indexers, 2 Search Head and each Deployment &amp; Licensing Master and Cluster Master.</P> <P>Now in order to receive events from more than 250 servers, Do I need to setup a separate Heavy Forwarder (server) or can we use the above setup/configuration and use one of them as heavy forwarder.</P> <P>Thanks,</P> Mon, 18 Nov 2019 06:17:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490682#M8315 spodda01da 2019-11-18T06:17:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490683#M8316 <P>Hi,</P> <P>Using HF in your current setup depends, how much data you are indexing per day? your budget<BR /> HF will reduce performing impact on Indexers , it helps you to parse,filter, can index locally and with many other benefits.<BR /> Please refer the documentation </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Typesofforwarders">https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Typesofforwarders</A></P> <P>If you need all these benefits then you should consider having HFs in your environment</P> Mon, 18 Nov 2019 07:05:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490683#M8316 sanjeev543 2019-11-18T07:05:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490684#M8317 <P>Hi @spodda01da,<BR /> Heavy Forwarders are useful in these situations:</P> <UL> <LI>if you have to ingest syslogs,</LI> <LI>if you have a part of your Universal Forwarders in a separate network and you don't want to open all the firewall routes between targets and Indexers,</LI> <LI>if you have a great parsing job and you want to reduce load on Indexers.</LI> </UL> <P>For my experience, only the first two options really justify the use of an Heavy Forwarder, for the third, I prefer to add more resources to Indexers or ad an Indexer then add an Heavy Forwearder.</P> <P>In addition remember that, when you decide to use an Heavy Forwarder, you have always to duplicate it to avoid a Single Points of Failure and you have to carefully configure them to avoid bottlenecks.</P> <P>Ciao.<BR /> Giuseppe</P> Mon, 18 Nov 2019 08:07:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Heavy-Forwarder-Configuration-Query/m-p/490684#M8317 gcusello 2019-11-18T08:07:07Z