Deployment Architecture

Do intermediate Forwarders send acknowledgements when forwarding to non-Splunk devices

DaveHelps
New Member

Consider an environment using intermediate Forwarders as described in http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Protectagainstlossofin-flightdata#When_...

In this environment, the last Forwarder sends data to a third-party system only, as described in http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd

[Source] >>>>> [Forwarder 1] >>>>> [Forwarder 2] >>>>> [Non-Splunk]

We want to ensure that all data that arrives at Forwarder 1 is successfully received by Forwarder 2.

If we enable Indexer Acknowledgement, will Forwarder 2 send acknowledgements as soon as it has sent the data to the non-Splunk receiver? Or is this only possible if Forwarder 2 is sending data to a Splunk Enterprise Indexer?

Thanks in advance

Dave

0 Karma

emiller42
Motivator

According to the document you linked, if there is no acknowledgement coming from the non-Splunk receiver to Forwarder 2, then the Acknowledgement from Forwarder 2 to Forwarder 1 is only around that part of the chain. So Forwarder 2 will acknowledge receipt of data from Forwarder 1, but that does not guarantee that the data was successfully sent to the non-splunk destination.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...