Solved: Do we need a license for Heavy forwarder..?

prakash007 · ‎04-20-2016

I have this workflow

UFs---------->HF---------->Splunkcloud

I'm using this HF just to route the data to Splunk clould without any indexing locally, but with few regexes for filtering in props and transforms. When i tried to login to HF GUI there was a message prompted to upgrade the license.

Can i convert that HF to a slave or a Free license..?

lguinn2 · ‎04-20-2016

For a heavy forwarder (HF), you should set up one of the following options:

1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.

2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.)

I strongly discourage using either the trial license or the free license on a production forwarder.

View solution in original post

lguinn2 · ‎04-20-2016

For a heavy forwarder (HF), you should set up one of the following options:

1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.

2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.)

I strongly discourage using either the trial license or the free license on a production forwarder.

damode · ‎10-18-2017

Hi @Iguinn,

Is the 2nd option better than 1st ? and why so ? I am curious to know.
Thanks.

somesoni2 · ‎01-10-2017

@chanamoluk's new comment.

can you please provide me the steps ,how to make my HF as slave so that my HF will not consume any license...
currently I have forwarder license which I need to use it for HF. as my HF is going to expire with in few days...

Run the command mentioned in @lguinn comment

splunk edit licenser-groups Forwarder -is_active 1
 splunk restart

chanamoluk · ‎01-10-2017

where to run this command , i havn't found "splunk-forwarder.license" folder any where in my HF
$SPLUNK_HOME/etc/.....

dcroteau · ‎05-04-2016

Lguinn, In your option #2. Do you still go to $SPLUNK_HOME/etc/splunk-forwarder.license and copy it to splunk.license and restart splunkd if you don't want it to be a slave?

lguinn2 · ‎05-05-2016

You can do that, or you can just do this:

splunk edit licenser-groups Forwarder -is_active 1
splunk restart

This will switch Splunk to the built-in forwarder license. These command will work even if you don't have the $SPLUNK_HOME/etc/splunk-forwarder.license file

lakshman239 · ‎07-05-2016

hello Lisa, I have a similar situation for a customer. On your option 2 - I want to config the splunk instance as both heavy forwarder and a deployment server to manage the on-premise deployment clients. How do I go about setting up the license? I don't think I can make them as a slave to my managed splunk cloud. Pls advise. Thanks
Laks

lakshman239 · ‎09-30-2016

Answering my own comment - Used a deployment server license from splunk support to load to a splunk instance acting as deployment server and heavy forwarder.

somesoni2 · ‎04-20-2016

You can use your HF as license slave.

prakash007 · ‎04-20-2016

Hi somesoni2,

I have put some filtering using props and transforms on HF before sending the data to cloud, will it work fine when i change it to slave or free license..?

somesoni2 · ‎04-20-2016

I've not tried with free license, but it'll work just fine with slave license.

ktugwell_splunk · ‎04-20-2016

Hi McNamara,

It depends, will you ever want to use indexing on the HF or authentication?

If not, then use a forwarder license.

prakash007 · ‎04-20-2016

Ktugwell,

I don't want to use indexing on HF, but still i have some regexs in props and transforms to filter/restrict/mask some of the data before sending it to cloud.

-do i need to convert it to slave or a free license would be fine..?

ktugwell_splunk · ‎04-20-2016

A forwarding license will use these transformations as the HF will still parse the information.

So a forwarding license will work fine. You could also send your Transforms and Props to the SplunkCloud team and then your indexers can do the work, eliminating the need for a HF 🙂

chanamoluk · ‎12-22-2016

if we send the props.conf and transforms.conf to splunk cloud team they will configure it on indexers, my doubt her is whether the licence usage will be calculated after filtering or before filtering?

somesoni2 · ‎12-22-2016

After filtering (actually the amount of data goes to indexing queue will be your license usage).

Do we need a license for Heavy forwarder..?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!