Archive

Heavy Forwarders

Yaichael
Communicator

Quick question about HF.

Do you necessarily need two separated Splunk instances for Heavy Forwarding data? (One for receiving and one for forwarding).
If not, how can you do this without tripping up with the "Forwarding to indexer group default-autolb-group blocked for 100 seconds" issue?

Thanks in advance!

Tags (1)
0 Karma
1 Solution

gfreitas
Builder

Hi Yaichael,

Maybe this can help:

To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:

  • You want to index local log file from a server that is not the Splunk Server
  • If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
  • If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers

A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.

Hope this can helps you

View solution in original post

gfreitas
Builder

Hi Yaichael,

Maybe this can help:

To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:

  • You want to index local log file from a server that is not the Splunk Server
  • If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
  • If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers

A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.

Hope this can helps you

View solution in original post

ncrisler
New Member

How is your data being forwarded in? Syslog (non universal forwarder) or Universal Forwarder based?

0 Karma

ncrisler
New Member

Typically you have one of the following:

universal forwarder forwarding its data to a single indexer or group
universal forwarder forwarding it data to a group of heavy forwarders to be load-balanced across multiple indexers (this is most
or
syslog type input being forwarded to universal forwarder to heavy forwarder(s) to indexers

0 Karma