Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Heavy Forwarders

Yaichael
Communicator
‎04-22-2016 06:08 AM

Quick question about HF.

Do you necessarily need two separated Splunk instances for Heavy Forwarding data? (One for receiving and one for forwarding).
If not, how can you do this without tripping up with the "Forwarding to indexer group default-autolb-group blocked for 100 seconds" issue?

Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfreitas
Builder
‎04-22-2016 11:49 AM

Hi Yaichael,

Maybe this can help:

To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:

  • You want to index local log file from a server that is not the Splunk Server
  • If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
  • If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers

A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.

Hope this can helps you

View solution in original post

Reply
Solved! Jump to solution
Solution

gfreitas
Builder
‎04-22-2016 11:49 AM

Hi Yaichael,

Maybe this can help:

To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:

  • You want to index local log file from a server that is not the Splunk Server
  • If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
  • If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers

A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.

Hope this can helps you

Reply
Solved! Jump to solution

ncrisler
New Member
‎04-22-2016 07:08 AM

How is your data being forwarded in? Syslog (non universal forwarder) or Universal Forwarder based?

0 Karma
Reply
Solved! Jump to solution

ncrisler
New Member
‎04-22-2016 07:13 AM

Typically you have one of the following:

universal forwarder forwarding its data to a single indexer or group
universal forwarder forwarding it data to a group of heavy forwarders to be load-balanced across multiple indexers (this is most
or
syslog type input being forwarded to universal forwarder to heavy forwarder(s) to indexers

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...