Hello guys.
Im inherited an splunk enviromment and im kinda new to this, so i'm studying quite a lot.
In my scenario i have something like 100 Windows UF sending info to 01 Heavy Forwarder which sends to 3 indexers and complete the proccess.
Now i want to filter these infos and i'm wondering if i can make a blacklist in the HF to filter these logs, if i can, which is the best way?
- In local folder create a inputs.conf and changing from there? I've tried this one and i think it worked, the problem is the logs went to the main index and i could'nt figure out how to change it.
- Create some filter in the Indexers?
Thanks for the help so far.
First, you should have more than 1 HF. A lone HF is a single point of failure and can lead to performance problems.
Filter on the HF using props and transforms the same you would on an indexer. Since the HF is processing the data on behalf of the indexer, filtering must be done there.
@richgalloway appreciate your explanation, in the entire scenario this customer have this farm:
2 x HF (One for Data Inputs and other forwardings and the second (which is my problem) with ONLY Windows).
3 x Indexers, 1 SH and 1 CM.
I'm gonna try your solution as a temporary solution.
@isoutamo what i understand with what i've learned from these two HF, they work with 2 locations, each HF works only with their physical locations, still, another job is now to move these UF to the IDX, and i think this will take some time. Do you have a suggestion in how to do that?
Thanks for the help in advance. Best regards.
Check that all FW openings have done from location A and B to IDXes. Then just replace current output app on UF with HF's relevant app. If there is no apps for that I propose that you will do it. Just an app with contains outputs.conf which told where IDXes are. You can take that outputs.conf from HF.
Of course if/when you have any apps in HF which manage input stream from UF you must add that app also to indexers if it's not there yet as after that change IDX will do parsing etc. tasks which has done earlier on HFs. If you have any modular inputs on those HF you should leave those there. Personally I don' like those on indexers ad as you have idx cluster, you cannot run those on it.
Test with one UF then add couple of more and if no issues then you can add rest with suitable groups. Just ensure that group size is not too big to fix any issues which it can cause (mainly routing and/or FW issues).
If there is a no way (e.g. security policy denies) to send events directly to IDX then add secondary HFs on both locations to avoid SPOF situations.
Hi
it's just like @richgalloway said. One comment, unless you have e.g. security zones etc. which needs separate HF between UFs and IDX you should sent events directly from UF to IDX without HF between those.
r. Ismo