Hi Splunkers...
Assumptions... The HF we want to deploy.. it should be inside a DMZ network, the license master is outside the DMZ and all necessary ports will be opened as required
now the question is..
Can License Master to HF have only one way direction communication(info flow is only from LM to HF... not two way, in the sense... there will be no HF to LM info flow)
OR
the LM to HF requires two way communication by default.
please suggest, thanks.
@gcusello may i know your advice please
Hi @inventsekar ,
as @isoutamo said, if you don't need a local indexing, you can use the Forwarder License (it was created just for this purpose!).
Using this license, you have all the features of a Splunk instance except indexing.
In other words, you can preprocess (mainly parse) your data.
In this way you can locate this job on HFs instead IDXs.
Using the Forwarder License, you don't need to communicate with the LM, unless you want a local copy of your logs: in this case you need an unidirectional connection with the LM on 8089 port.
Ports between HF and LM aren't relevant.
On HF you need only: 9997 to send data to IDXs and 8089 to manage HF with your DS.
Ciao.
Giuseppe
Hi
the HF - LM communication is always one way, from HF to LM never other way.
Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything.
r. Ismo
>>> Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything.
yes @isoutamo .. we thought that idea. but, as HF does some "preprocessing" (field extractions, etc) of logs, right.. so, if we use HF just like a UF(only for forwarding the logs), then indexer's job is same like as if we dont have the HF at all, right (i mean, the indexer needs to do full job of all processing of logs)
EDIT
>>> the HF - LM communication is always one way, from HF to LM never other way.
you mean, HF will send request to LM asking the license info then it takes care of its job. there is no need of LM requesting/sending/asking info from/to the HF?
ok, simple question... between HF and LM... please update us the ports configuration. thanks @isoutamo , karma points given appreciating your response. thanks again.
You can do those “indexer stuff” with that forwarder licence. Only thing what is missing is indexing.
You need to open only management access. Normally this is port 8089/tcp. Then if/when you want to monitor those with MC you need to access also MC -> LC that same port and those as indexer and create some own groups for those etc.