Deployment Architecture

Splunk infrastructure recommendations


Hello all,

I need some suggestions/recommendations about enlarging our splunk infra.

What are the considerations of putting a Heavy forwarders in a different network/vlan than the deployment server and the indexers ?

What are the considerations of putting the indexers on different networks/vlans than the other indexers and the cluster master? will there be any synchronization issues?

The context here is that we will onboard new logs from a different network/domain/vlan and we were thinking of putting the heavy forwarder in the "new domain" to reduce the overhead with the firewall rules/to centralize data that will be later sent to the indexers. 

and we were also wondering why not putting a heavy forwarder and an indexer in the "new domain" and open the required flows towards/from the deployment server/cluster master/other indexers search heads.

Any comments or suggestions ?


Thank you soo much.

Tags (2)
0 Karma


Hi @kaboom1,

this isn't a question for the Community, this request requires analysis and design from a Splunk Architect otherwise you have a big risk.

Anyway, all the considerations from @isoutamo are correct and you could use them, but I hint to ask to an Architect.

Anyway, I use an HF when there's the request to segregate networks, in other words if you want to limit the channels between networks, you can use an HF (better two, to avoid Single Points of Failure) as a concentrator, so you have to open routes only for this server.

If the clients in the subnetwork are less than 50, you can use the same HF as Deployment Server, but a twl leve Deployment Architecture, isn't so immediate ans still requires an Architect.



0 Karma



I said that most important thing to consider when you are putting your HF and also for indexers is your company security policy. This is true especially for indexers. Usually those should put into some security core or something similar where access is quite limited. Heavy forwarders could be on same zone/vlan than indexers and/or DS, but it's not needed. The main thing is allow needed access on FW to communication from HF to DS and Indexers. Quite often or almost always DS and HFs' are on different zones/vlans. And same for indexers vs. HFs. You should do it just like your company security policy said.

Also new indexers could be on different VLAN than old ones and CM if needed. But again in this kind of situation be sure that FW is opened on both directions as needed!

Personally I like to keep all indexers on same VLAN, if I have single site cluster. On multisite cluster it depends how its network has done. Those could be on one or one VLAN per site.

Anyhow try to keep all indexers and also SHs as close as possible each other both physical and logical point of view. That will helps your later on as there are as few network equipments between those. You should remember that probably the highest traffic will be between indexers and also between indexers and SH.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...