Do intermediate Forwarders send acknowledgements w...

DaveHelps · ‎03-20-2015

Consider an environment using intermediate Forwarders as described in http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Protectagainstlossofin-flightdata#When_...

In this environment, the last Forwarder sends data to a third-party system only, as described in http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd

[Source] >>>>> [Forwarder 1] >>>>> [Forwarder 2] >>>>> [Non-Splunk]

We want to ensure that all data that arrives at Forwarder 1 is successfully received by Forwarder 2.

If we enable Indexer Acknowledgement, will Forwarder 2 send acknowledgements as soon as it has sent the data to the non-Splunk receiver? Or is this only possible if Forwarder 2 is sending data to a Splunk Enterprise Indexer?

Thanks in advance

Dave

emiller42 · ‎03-20-2015

According to the document you linked, if there is no acknowledgement coming from the non-Splunk receiver to Forwarder 2, then the Acknowledgement from Forwarder 2 to Forwarder 1 is only around that part of the chain. So Forwarder 2 will acknowledge receipt of data from Forwarder 1, but that does not guarantee that the data was successfully sent to the non-splunk destination.

Do intermediate Forwarders send acknowledgements when forwarding to non-Splunk devices

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector