I have multiple forwarders which are sending data to one indexer at port 9997, I want to transfer data from forwarder to indexer via F5 url. I have created a F5 url like abc.companyname.com which is listening at port 80 and added my indexer in F5 mapping. Indexer is listening at port 9997
I configured my forwarder like abc.companyname.com:80 to send data to new F5. It is not working, can anyone help?
The problems with externally loadbalancing splunk forwarders are tricky and not necessarily obvious.
The mechanism by which forwarders splay their load across N indexers relies upon them periodically reconnecting to different indexers. However if you use a loadbalancer, then the forwarders will not know that there are different indexers and will not reconnect. This means they will effectively remain glued to a single indexer permanently via your F5.
This has problems for balancing, since forwarders do not typically have equal data loads. It also has trouble for indexer lifecycle goals. If you shut down an indexer, forwarders will shift away from it. If you bring the indexer back up, forwarders will not shift back to it, because they do not know it exists.
Additionally, depending upon your configuration, forwarders performing health checks at the time an indexer goes offline or closes its port due to overload may be seen by other forwarders as an indication that their current link is not healthy, potentially leading to an exacerbated problem under high load.
If sending your forwarding data reliably through an external load balancer is important to you, please raise it officially with splunk staff via support channels (Enhancement Request). However for now I suggest you use the Splunk built-in load balancing.
What does your outputs.conf look like on your forwarder? Typically, the communication between a forwarder and splunk do more than just forward data on. They can use an acknowledgement to determine if data was successfully transfered to the indexer. Look for:
useACK = true
on your forwarder's outputs.conf. Something like that would interfere if your forwarder isn't directly communicating with the indexer.
I'm not sure what you hope to gain by this method of going through the F5. You wouldn't be load balancing anything. I assume you just want some sort of analytics on the data going through?
To add to this answer, we do not recommend you use a load balancer between your forwarders and indexers. The problem is (especially if you have multiple indexers), the load balancer will not know what the end of an event looks like.
You would end up with truncated events, and a mess of your data.