Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Blacklisting from Universal Forwarder to Heavy Forwarder?

GiordanoB
Engager
‎08-29-2022 09:57 AM

Hello guys.

Im inherited an splunk enviromment and im kinda new to this, so i'm studying quite a lot. 
In my scenario i have something like 100 Windows UF sending info to 01 Heavy Forwarder which sends to 3 indexers and complete the proccess. 
Now i want to filter these infos and i'm wondering if i can make a blacklist in the HF to filter these logs, if i can, which is the best way?
- In local folder create a inputs.conf and changing from there? I've tried this one and i think it worked, the problem is the logs went to the main index and i could'nt figure out how to change it.

- Create some filter in the Indexers?

Thanks for the help so far.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2022 10:08 AM

First, you should have more than 1 HF.  A lone HF is a single point of failure and can lead to performance problems.

Filter on the HF using props and transforms the same you would on an indexer.  Since the HF is processing the data on behalf of the indexer, filtering must be done there.

---
If this reply helps you, Karma would be appreciated.
Reply

GiordanoB
Engager
‎08-30-2022 04:59 AM

@richgalloway appreciate your explanation, in the entire scenario this customer have this farm:

2 x HF (One for Data Inputs and other forwardings and the second (which is my problem) with ONLY Windows).

3 x Indexers, 1 SH and 1 CM.

I'm gonna try your solution as a temporary solution.

@isoutamo  what i understand with what i've learned from these two HF, they work with 2 locations, each HF works only with their physical locations, still, another job is now to move these UF to the IDX, and i think this will take some time. Do you have a suggestion in how to do that?

Thanks for the help in advance. Best regards.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2022 05:31 AM

Check that all FW openings have done from location A and B to IDXes. Then just replace current output app on UF with HF's relevant app. If there is no apps for that I propose that you will do it. Just an app with contains outputs.conf which told where IDXes are. You can take that outputs.conf from HF.

Of course if/when you have any apps in HF which manage input stream from UF you must add that app also to indexers if it's not there yet as after that change IDX will do parsing etc. tasks which has done earlier on HFs. If you have any modular inputs on those HF you should leave those there. Personally I don' like those on indexers ad as you have idx cluster, you cannot run those on it.

Test with one UF then add couple of more and if no issues then you can add rest with suitable groups. Just ensure that group size is not too big to fix any issues which it can cause (mainly routing and/or FW issues).

If there is a no way (e.g. security policy denies) to send events directly to IDX then add secondary HFs on both locations to avoid SPOF situations.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-30-2022 12:21 AM

Hi

it's just like @richgalloway said. One comment, unless you have e.g. security zones etc. which needs separate HF between UFs and IDX you should sent events directly from UF to IDX without HF between those.

r. Ismo

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...