Getting Data In

Do we need a license for Heavy forwarder..?

prakash007
Builder

I have this workflow

UFs---------->HF---------->Splunkcloud

I'm using this HF just to route the data to Splunk clould without any indexing locally, but with few regexes for filtering in props and transforms. When i tried to login to HF GUI there was a message prompted to upgrade the license.

Can i convert that HF to a slave or a Free license..?

1 Solution

lguinn2
Legend

For a heavy forwarder (HF), you should set up one of the following options:

1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.

2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.)

I strongly discourage using either the trial license or the free license on a production forwarder.

View solution in original post

lguinn2
Legend

For a heavy forwarder (HF), you should set up one of the following options:

1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.

2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose. (Note that the Universal Forwarder has the forwarder license pre-installed.)

I strongly discourage using either the trial license or the free license on a production forwarder.

damode
Motivator

Hi @Iguinn,

Is the 2nd option better than 1st ? and why so ? I am curious to know.
Thanks.

0 Karma

somesoni2
Revered Legend

@chanamoluk's new comment.

can you please provide me the steps ,how to make my HF as slave so that my HF will not consume any license...
currently I have forwarder license which I need to use it for HF. as my HF is going to expire with in few days...

Run the command mentioned in @lguinn comment

splunk edit licenser-groups Forwarder -is_active 1
 splunk restart
0 Karma

chanamoluk
Explorer

where to run this command , i havn't found "splunk-forwarder.license" folder any where in my HF
$SPLUNK_HOME/etc/.....

0 Karma

dcroteau
Splunk Employee
Splunk Employee

Lguinn, In your option #2. Do you still go to $SPLUNK_HOME/etc/splunk-forwarder.license and copy it to splunk.license and restart splunkd if you don't want it to be a slave?

lguinn2
Legend

You can do that, or you can just do this:

splunk edit licenser-groups Forwarder -is_active 1
splunk restart

This will switch Splunk to the built-in forwarder license. These command will work even if you don't have the $SPLUNK_HOME/etc/splunk-forwarder.license file

0 Karma

lakshman239
Influencer

hello Lisa, I have a similar situation for a customer. On your option 2 - I want to config the splunk instance as both heavy forwarder and a deployment server to manage the on-premise deployment clients. How do I go about setting up the license? I don't think I can make them as a slave to my managed splunk cloud. Pls advise. Thanks
Laks

0 Karma

lakshman239
Influencer

Answering my own comment - Used a deployment server license from splunk support to load to a splunk instance acting as deployment server and heavy forwarder.

0 Karma

somesoni2
Revered Legend

You can use your HF as license slave.

0 Karma

prakash007
Builder

Hi somesoni2,

I have put some filtering using props and transforms on HF before sending the data to cloud, will it work fine when i change it to slave or free license..?

0 Karma

somesoni2
Revered Legend

I've not tried with free license, but it'll work just fine with slave license.

0 Karma

ktugwell_splunk
Splunk Employee
Splunk Employee

Hi McNamara,

It depends, will you ever want to use indexing on the HF or authentication?

If not, then use a forwarder license.

0 Karma

prakash007
Builder

Ktugwell,

I don't want to use indexing on HF, but still i have some regexs in props and transforms to filter/restrict/mask some of the data before sending it to cloud.

-do i need to convert it to slave or a free license would be fine..?

0 Karma

ktugwell_splunk
Splunk Employee
Splunk Employee

A forwarding license will use these transformations as the HF will still parse the information.

So a forwarding license will work fine. You could also send your Transforms and Props to the SplunkCloud team and then your indexers can do the work, eliminating the need for a HF 🙂

0 Karma

chanamoluk
Explorer

if we send the props.conf and transforms.conf to splunk cloud team they will configure it on indexers, my doubt her is whether the licence usage will be calculated after filtering or before filtering?

0 Karma

somesoni2
Revered Legend

After filtering (actually the amount of data goes to indexing queue will be your license usage).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...