Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarders and Reverse Proxy

mzorzi
Splunk Employee
Splunk Employee
‎07-26-2012 12:18 PM

Currently, we've got four indexers and about 1400 forwarders. These forwarders all send their data to the indexers over the Internet.

The autoLB parameter is set on the forwarders to send to all four indexers. I'm curious if there is any way to set up a reverse proxy so that we can have one externally facing IP address and port, but then have the incoming traffic divided up between the indexers.

Many of our forwarders are at customer sites, and having them update their firewall rules every time we add a new indexer is frustrating for the customer and cumbersome for us.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-26-2012 02:39 PM

Similar to what Ayn is suggesting I might do something like this:

  1. Set up a pair "bridgehead" light forwarders at each customer location (or require the customer to do so). Their local systems all forward to these.
  2. Also set up two (maybe more, always in pairs) heavy forwarders at your own location that are accessible by the customer bridgehead forwarders. The customer bridgeheads forward to your edge forwarders who can then offload parsing from your indexers and pass pre-parsed events on to your indexer farm.

This gives your customers a simple internal network / firewall configuration (at the cost of a couple of VMs), and gives you the ability to change your indexer footprint more or less at will.

Reply

Ayn
Legend
‎07-27-2012 12:23 AM

I should mention that this is precisely how we've set it up, and it seems we're running a similar service (architecture wise) to what is described in the initial question, and it works perfectly.

0 Karma
Reply

Ayn
Legend
‎07-26-2012 02:26 PM

If the intermediate forwarder is an Universal Forwarder, it has some default limits set, such as that it will send data at a maximum speed of 256kBps. That's just a default value though, that can easily be changed, as are all others. Heavy forwarders have no limits like this set by default. Either way, it's no bottleneck because it's essentially just another Splunk instance - just one that happens to forward stuff instead of indexing stuff.

Reply

andru
Explorer
‎07-26-2012 01:07 PM

If intermediate forwarders are used, do you know of any limitations? For example, how many forwarders could connect to a single intermediate forwarder before bottle necking would occur?

0 Karma
Reply

Ayn
Legend
‎07-26-2012 12:24 PM

Did you consider intermediate forwarders that use autoLB against backend indexers? If yes, what made you not choose that option?

Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...