All Apps and Add-ons

Will I get duplicate events if I have Multiple Heavy Forwarders (HF) having same inputs set up?

vrmandadi
Builder

We have splunk add-on for aws installed on one of the hf .Can we install the same add-on other HF and create the same inputsso that when one of the hf is down and the other sends data. Is this possible ? or any other work around for this?

Thanks in Advance

0 Karma
1 Solution

nickhills
Ultra Champion

Don't do this.

Yes you would end up with duplicate events.

A better solution is to install multiple HFs with a different selection of inputs on each. (Depending on your AWS footprint, maybe you configure all inputs for a single region on each HF?)

This won't give you fault tolerance if a single HF fails, but it will reduce the amount of disruption as you would still collect data from the surviving HFs.

The AWS TA is a heavyweight app particularly if you collect all AWS data sources for a large number of resources.
Spreading the load across a pool of HFs like this can stop any single HF getting too bogged down.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Don't do this.

Yes you would end up with duplicate events.

A better solution is to install multiple HFs with a different selection of inputs on each. (Depending on your AWS footprint, maybe you configure all inputs for a single region on each HF?)

This won't give you fault tolerance if a single HF fails, but it will reduce the amount of disruption as you would still collect data from the surviving HFs.

The AWS TA is a heavyweight app particularly if you collect all AWS data sources for a large number of resources.
Spreading the load across a pool of HFs like this can stop any single HF getting too bogged down.

If my comment helps, please give it a thumbs up!

vrmandadi
Builder

Thank you for your explanation

0 Karma

dindu
Contributor
0 Karma

vrmandadi
Builder

@dindu thank you for your reply .But creating two same inputs on both HF does create duplicate events right?

0 Karma

dindu
Contributor

Hi,

Yes - the Splunk indexer will treat each input as different and index the same data.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...