Deployment Architecture

Would it be possible for UFs to forward/send logs/events to other HFs/UFs?

SplunkDash
Builder

Hello,

Would it be possible for UFs to forward/send logs/events to other HFs/UFs? Thank you!

 

Labels (2)
0 Karma

smurf
Path Finder

Hello,

Yes, it is possible to send logs from UFs to HFs, since you can setup HFs to act as receivers.

On HF you need to setup receiving as described here: Enable a receiver - Splunk Documentation

in inputs.conf (HF) - setup listening port, 9997 is default

[splunktcp://9997]
disabled = 0

 

On UF you need to setup forwarding to the HF as described here: Configure forwarders with outputs.conf - Splunk Documentation

in outputs.conf (UF) - setup to send events to HF. You can name the groups whatever you want. You also need to change the server name / IP.

[tcpout]
defaultGroup=my_HFs

[tcpout:my_HFs]
server=mysplunk_heavy:9997

[tcpout-server://mysplunk_heavy:9997]

 

Hope this helps.

isoutamo
SplunkTrust
SplunkTrust

Hi

as@gcusello and @smurf already told this is possible. But which one you should select UF or HF? The best practices is use an UF if possible and HF only when you haven't any other options. The main reason for this is save resources on that gateway/hub/intermediate node as UF is much smaller than HF. Also UF generates less network traffic than HF as it didn't add (so much) meta data than HF after it has processed events.

Basically only case when you should/have to use HF is if you have some modular inputs, which needs e.g. python on HF side (e.g. TA for aws, TA for m365, TA for VMWare etc.)

As @gcusello already said you should have several intermediate nodes and spread traffic from UFs to all of those. When you are using UF as hub then you probably need to add it's throughput from 256KBps to 1024 or higher. Just add this to limits.conf like

[thruput]
maxKBps = 512

or higher, based on your traffic amount.

r. Ismo 

gcusello
Legend

Hi @SplunkDash,

yes it's possible.

The choose to use an Universal or an Heavy Forwarder depends on the choice to parse and merge events before sending them to Indexers.

If you want to leave that all the preindexing operations to the Indexers, you can use both UF or HF as log concentrator, if you want move the load of preindexing activities from Indexers, you have to use an HF.

Anyway, I hint to use always (both with UFs or HFs) at least two machines to avoid Single Points of Failures.

Ciao.

Giuseppe

SplunkDash
Builder

Hello,

Thank you for your quick response, truly appreciate it. Is there any way I can check that UF forward installed on any host/server from SPLUNK GUI?

0 Karma

gcusello
Legend

Hi @SplunkDash,

in Deployment Server's [Settings -- Forwarder Management ] or in the ;Monitoring Console's [Monitor Console -- Forwarders -- Forwarders: Deployment] you have the list of all Forwarders (UFs and HFs) connected to the Deployment Server (or to the All in one Splunk Server).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...