I have a scenario i have multiple UF's connecting to a DS which is on a HF which connects to the cloud.
Do the UF's require any special config with regards to sending their data to the HF ?
Only the HF has the splunk cloud app installed and i can see HF data in _internal in splunk Cloud
However using a standard outputs.conf on the UF's i cannot see anything connecting to the HF.
HF is listening on the correct receiving port 9997 and outputs.conf is configured appropriately
There is nothing at all special, no.
hello there,
the forwarders will have outputs that represents the HF as a receiver.
i will recommend not to have HF and Deployment Server on the same instance.
read answer here:
https://answers.splunk.com/answers/541999/how-to-setupenable-splunk-heavy-forwarder-as-deplo.html
and docs here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Updating/Calculatedeploymentserverperformance
hope it helps
Thanks - we are only hosting ~35 UF's so will see how we go .. if we notice a performance hit i will recommend standalone.