Deployment Architecture

Best practice: add indexers as search peers for the heavy forwarders ?

yoho
Contributor

When configuring data inputs on a heavy forwarder via the GUI (HEC, for instance), the destination index is requested but it has to be selected from a list which obviously is not coming from our indexers because it contains only default indexes.

Should we add the indexers as search peers for this list to be correctly populated ? Is it best practice or is there any drawback doing so ? Also do you add the heavy forwarders as search heads in the monitoring console ?

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

As @gcusello said if you want to select index from list then you must add those to HF. As you have configured index forwarding (at least you should) there is no real harm to copy same indexes.conf from IDX to HF. Another option is use directly those config files to add hec information or use cli for that.

r. Ismo

View solution in original post

yoho
Contributor

Yes, you don't see the indexes when you go to Settings > Data Inputs (in the GUI) and configure any of the data inputs on this page (HTTP event collector, for instance).

My question was actually if there was a possibility to make them visible in the list (because contrary to the sourcetype, you can not type anything, you have to select from a fixed list).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yoho,

the only way to see in the list is to create indexes on HFs but it's unuseful!

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

As @gcusello said if you want to select index from list then you must add those to HF. As you have configured index forwarding (at least you should) there is no real harm to copy same indexes.conf from IDX to HF. Another option is use directly those config files to add hec information or use cli for that.

r. Ismo

yoho
Contributor

Ok, thanks for the replies. I find it stupid the choice of index is not:

  • Via a list populated by making a REST call to your search peers / indexers
  • OR available for you to type in a free-form text field, like for the sourcetype
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yoho,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yoho,

you need to add Indexes to the HF only if you want to sore a local copy of data otherwise you don't need it.

Obviously you have to know the names of the indexes to send data that are on Indexers because you don't see them in HFs.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...