Getting Data In

Can we send data from forwarder to F5 URL on port 80 which will redirect data to indexer at port 9997?

reach2tushar
Explorer

I have multiple forwarders which are sending data to one indexer at port 9997, I want to transfer data from forwarder to indexer via F5 url. I have created a F5 url like abc.companyname.com which is listening at port 80 and added my indexer in F5 mapping. Indexer is listening at port 9997

I configured my forwarder like abc.companyname.com:80 to send data to new F5. It is not working, can anyone help?

0 Karma

jrodman
Splunk Employee
Splunk Employee

The problems with externally loadbalancing splunk forwarders are tricky and not necessarily obvious.

The mechanism by which forwarders splay their load across N indexers relies upon them periodically reconnecting to different indexers. However if you use a loadbalancer, then the forwarders will not know that there are different indexers and will not reconnect. This means they will effectively remain glued to a single indexer permanently via your F5.

This has problems for balancing, since forwarders do not typically have equal data loads. It also has trouble for indexer lifecycle goals. If you shut down an indexer, forwarders will shift away from it. If you bring the indexer back up, forwarders will not shift back to it, because they do not know it exists.

Additionally, depending upon your configuration, forwarders performing health checks at the time an indexer goes offline or closes its port due to overload may be seen by other forwarders as an indication that their current link is not healthy, potentially leading to an exacerbated problem under high load.

If sending your forwarding data reliably through an external load balancer is important to you, please raise it officially with splunk staff via support channels (Enhancement Request). However for now I suggest you use the Splunk built-in load balancing.

0 Karma

hortonew
Builder

What does your outputs.conf look like on your forwarder? Typically, the communication between a forwarder and splunk do more than just forward data on. They can use an acknowledgement to determine if data was successfully transfered to the indexer. Look for:

useACK = true

on your forwarder's outputs.conf. Something like that would interfere if your forwarder isn't directly communicating with the indexer.

I'm not sure what you hope to gain by this method of going through the F5. You wouldn't be load balancing anything. I assume you just want some sort of analytics on the data going through?

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

To add to this answer, we do not recommend you use a load balancer between your forwarders and indexers. The problem is (especially if you have multiple indexers), the load balancer will not know what the end of an event looks like.

You would end up with truncated events, and a mess of your data.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...