Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Heavy Forwarders

Yaichael
Communicator
‎04-22-2016 06:08 AM

Quick question about HF.

Do you necessarily need two separated Splunk instances for Heavy Forwarding data? (One for receiving and one for forwarding).
If not, how can you do this without tripping up with the "Forwarding to indexer group default-autolb-group blocked for 100 seconds" issue?

Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfreitas
Builder
‎04-22-2016 11:49 AM

Hi Yaichael,

Maybe this can help:

To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:

  • You want to index local log file from a server that is not the Splunk Server
  • If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
  • If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers

A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.

Hope this can helps you

View solution in original post

Reply
Solved! Jump to solution
Solution

gfreitas
Builder
‎04-22-2016 11:49 AM

Hi Yaichael,

Maybe this can help:

To receive data from a syslog server for example you can send data directly to a Splunk Server (Splunk Indexer if you have a distributed deployment or Splunk Enterprise for single server deployment).
You can also deploy Universal Forwarders to receive local data in some servers. I would suggest you install a Universal Forwarder in one of those cases:

  • You want to index local log file from a server that is not the Splunk Server
  • If you have a remote location and want to receive all the logs from that location in a local server and them forward this data to you Splunk Server(s)
  • If you have a distributed deployment it's always better to receive data on Universal Forwarders that can auto load balance data across all your indexers

A Heavy Forwarder is a Splunk Server full installation that only collects data and forward that data to your splunk server or indexers. It's not very common to have heavy forwarders just in some cases, in most of the cases you can deploy a Universal Forwarder. But for some cases you must install a heavy forwarder, for example to use the app of Checkpoint LEA, of make some index time transformations.

Hope this can helps you

Reply
Solved! Jump to solution

ncrisler
New Member
‎04-22-2016 07:08 AM

How is your data being forwarded in? Syslog (non universal forwarder) or Universal Forwarder based?

0 Karma
Reply
Solved! Jump to solution

ncrisler
New Member
‎04-22-2016 07:13 AM

Typically you have one of the following:

universal forwarder forwarding its data to a single indexer or group
universal forwarder forwarding it data to a group of heavy forwarders to be load-balanced across multiple indexers (this is most
or
syslog type input being forwarded to universal forwarder to heavy forwarder(s) to indexers

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...