Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Heavy Forwarder Data flow

mohsplunking
Path Finder
2 weeks ago

Hello Splunkers,

I have a question around Splunk Architecture, would greatly appreciate the inputs from Architects.

In a Scenario where UF on log source>Heavy Forwarder>Indexer

Basically  A Universal Forwarder get installed on a log source with a configuration to connect to Deployment server, Once it connects to DS, the DS will push the Output APP & the corresponding technology add-on i.e. Windows/Linux to the Universal Forwarder.

The Output APP on the Log source(UF) is basically forwarding to heavy forwarder over standard port 9997

On the Heavy Forwarder an output APP under etc/apps  is there to forward to indexers.

So the question is do I need to also have an Windows_TA/Linux TA app on heavy forwarder ? is it necessary ? if I dont install a TA , my understanding is heavy forwarder should still forward everything it receives over port 9997(without a TA/inputs.conf) to the next Splunk , is that correct ?

Sorry I know its long reading 😞 but I hope to receive some responses.

Thank you ,

 

regards,

Moh

Labels (2)
0 Karma
Reply

Prewin27
Communicator
2 weeks ago

@mohsplunking  @sainag_splunk  already explained very well.

But If your goal is simply:
UF (collects, basic sourcetype=WinEventLog:Security or sourcetype=linux_secure set by DS) -> HF (aggregates, forwards) -> Indexer (parses fields like EventCode, user, sshd_pid etc.)

then you do not need the full Splunk_TA_windows or Splunk_TA_nix on the Heavy Forwarder. The indexers(with TA's) will handle the detailed parsing.

But it becomes necessary IF you want the HF to perform actions that rely on the knowledge within that TA (like parsing fields to use for routing, or specific sourcetype recognition that isn't happening on the UF)

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
2 weeks ago

Hey @mohsplunking ,

So a couple things on your setup:

First, just to clarify - the UFs actually pull from the DS, not push to it. The deployment server is more like a config store that the forwarders check in with and grab their apps/configs from.

And yeah, you're totally right about needing the Windows TA on your heavy forwarder. You might see data without it, but you definitely want it installed on whatever's doing the parsing - which is your HF in this case. Otherwise you'll miss out on proper field extractions and parsing.

Here's the install doc: https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/Install

Yes - Windows TA goes on the HF (since that's where parsing happens), and then your output app handles forwarding everything along to the indexers.



Cheers
If this Helps, please Upvote

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top