Getting Data In

Different management port for forwarders and indexer cluster

tusharsaran1
Path Finder

Can we use different management ports on Universal forwarders and Indexer cluster?
Since we will also be using indexer discovery on the forwarders, is it possible that forwarders can continue using the default management port 8089 while the indexers can be setup to use 8090?
If yes, what should be the management uri in the forwarder's outputs.conf? Should the port be 8089 (mgmt port of the forwarder) or 8090 (mgmt port of the cluster master) ? I think it's the latter but I want to get that confirmed.

0 Karma
1 Solution

lguinn2
Legend

tl;dr YES

Any Splunk instance can use any management port that you like - they don't need to be all the same. However, if you want to connect to the cluster master node or the deployment server, etc., you will need to know what management port to use for that instance.

DO NOT USE THE MGMT PORT FOR FORWARDING. Indexers must be set up with a receiving port. The Splunk-to-Splunk forwarding of data uses that port, not the mgmt port.

In outputs.conf, you can give a fixed list of servers that includes the receiving port, eg.

server=indexer1.myco.com:9997,10.2.15.201:9998

OR you can use indexer discovery if you are using indexer clustering. When the forwarder talks to the cluster master node, it is not sending data. Instead it is querying the master node for the server list. So the forwarder must contact the master node on its management port. For example, if the cluster master node is 10.2.15.200 and its mgmt port is 8089, then outputs.conf on the forwarder should contain

master_uri = https://10.2.15.200:8089

HTH

View solution in original post

adonio
Ultra Champion

forwarders management uri will remain 8089 - it has to do with deployment server and not with the cluster master (indexers) which you name for indexers discovery
the port 8090 will be open between your cluster master and indexers
if i understand correctly the requirements
check this stanza in outputs.conf:

indexerDiscovery = <name>
* Instructs the forwarder to fetch the list of indexers from the master node
  specified in the corresponding [indexer_discovery:<name>] stanza.

it does not mention ports, only the name
hope it helps

0 Karma

lguinn2
Legend

tl;dr YES

Any Splunk instance can use any management port that you like - they don't need to be all the same. However, if you want to connect to the cluster master node or the deployment server, etc., you will need to know what management port to use for that instance.

DO NOT USE THE MGMT PORT FOR FORWARDING. Indexers must be set up with a receiving port. The Splunk-to-Splunk forwarding of data uses that port, not the mgmt port.

In outputs.conf, you can give a fixed list of servers that includes the receiving port, eg.

server=indexer1.myco.com:9997,10.2.15.201:9998

OR you can use indexer discovery if you are using indexer clustering. When the forwarder talks to the cluster master node, it is not sending data. Instead it is querying the master node for the server list. So the forwarder must contact the master node on its management port. For example, if the cluster master node is 10.2.15.200 and its mgmt port is 8089, then outputs.conf on the forwarder should contain

master_uri = https://10.2.15.200:8089

HTH

tusharsaran1
Path Finder

On a related note, if we disable the management port on a UF, can it still connect to the cluster master for indexer discovery? Also, can it still connect to the deployment server to fetch config?

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...