Getting Data In

Can we send data from forwarder to F5 URL on port 80 which will redirect data to indexer at port 9997?

reach2tushar
Explorer

I have multiple forwarders which are sending data to one indexer at port 9997, I want to transfer data from forwarder to indexer via F5 url. I have created a F5 url like abc.companyname.com which is listening at port 80 and added my indexer in F5 mapping. Indexer is listening at port 9997

I configured my forwarder like abc.companyname.com:80 to send data to new F5. It is not working, can anyone help?

0 Karma

jrodman
Splunk Employee
Splunk Employee

The problems with externally loadbalancing splunk forwarders are tricky and not necessarily obvious.

The mechanism by which forwarders splay their load across N indexers relies upon them periodically reconnecting to different indexers. However if you use a loadbalancer, then the forwarders will not know that there are different indexers and will not reconnect. This means they will effectively remain glued to a single indexer permanently via your F5.

This has problems for balancing, since forwarders do not typically have equal data loads. It also has trouble for indexer lifecycle goals. If you shut down an indexer, forwarders will shift away from it. If you bring the indexer back up, forwarders will not shift back to it, because they do not know it exists.

Additionally, depending upon your configuration, forwarders performing health checks at the time an indexer goes offline or closes its port due to overload may be seen by other forwarders as an indication that their current link is not healthy, potentially leading to an exacerbated problem under high load.

If sending your forwarding data reliably through an external load balancer is important to you, please raise it officially with splunk staff via support channels (Enhancement Request). However for now I suggest you use the Splunk built-in load balancing.

0 Karma

hortonew
Builder

What does your outputs.conf look like on your forwarder? Typically, the communication between a forwarder and splunk do more than just forward data on. They can use an acknowledgement to determine if data was successfully transfered to the indexer. Look for:

useACK = true

on your forwarder's outputs.conf. Something like that would interfere if your forwarder isn't directly communicating with the indexer.

I'm not sure what you hope to gain by this method of going through the F5. You wouldn't be load balancing anything. I assume you just want some sort of analytics on the data going through?

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

To add to this answer, we do not recommend you use a load balancer between your forwarders and indexers. The problem is (especially if you have multiple indexers), the load balancer will not know what the end of an event looks like.

You would end up with truncated events, and a mess of your data.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...