Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can multiple Splunk Universal Forwarders use same NAT IP for sending data to Heavy Forwarder ?

ekcsoc
Path Finder
‎09-08-2019 04:33 AM

We have around 100 Universal Forwarders in a specific Office location A and another 50 Universal Forwarders in Office location B. We are trying to use a single NAT IP (192.168.10.20) for Office location A and a single NAT IP (192.168.10.30) for Office Location B for sending data from these Universal forwarders to a Heavy Forwarder placed in a different Office location C.

Can Splunk distinguish each Universal Forwarder with its own host IP even though its communicating and sending data to HF with a single NAT IP ?

Is this TCP Connection stream handling between the Splunk UF and Splunk HF is capable of managing the multiple TCP client connections on the same NAT IP ?

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎09-08-2019 01:51 PM

Hi

yes, this will work.to the limit of your nat device (probably number of different source port but that is a tcp/ip limit, not a Splunk one)
The challenge would be for communicating to Deployment Server but the Universal Forwarder use a clientname that will be different
see link text
For sending data, either to indexers or via a intermediate forwarder layer, it also doesn't matter as the data itself depend on your input configuration and will just processed independently of your nat ip.

0 Karma
Reply

ekcsoc
Path Finder
‎09-08-2019 10:00 PM

What do you mean by limit of your nat device ? Is that the number of connections that can be generated from NAT device ?
And one thing, we are not using deployment server in this model. Universal forwarders will be managed by the IT team with there own tools like SCCM/other tool.

Also we wanted to know the data within the logs is still matched back to the originating log source IP of the server with the Splunk UF/ or the host IP will written as NAT IP ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2019 05:31 AM

While I believe it will work, I have to ask: Why are you doing this? Intermediate forwarders are discouraged because they can impede performance and are a single point of failure. Why use a single NAT IP for each location? What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekcsoc
Path Finder
‎09-08-2019 09:55 PM

We are trying to achieve a multi-tenant architecture by deploying specific HF's to each office location(or each company). And regarding why a single NAT IP for each location, that is how there network architecture is build of and working

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...