Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forward data without effecting ingest volume

dloszews
Explorer
‎01-12-2021 01:30 PM

Hello,

We have one universal forwarder, and two cloud instances.   Currently I have all data going to 1 indexer, I've been attempting to determine the most efficient way to parse and route the data so that it will go to the correct indexer/splunk instance without effecting ingest volume.   If I ingest everything into the "primary" indexer can I just parse and route that raw data to the "secondary" indexer without effecting ingest volume on the "primary"? 

I was originally going to use a heavy forwarder for the parsing and routing but sounds like that may be more network IO intensive.  

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-13-2021 04:34 AM

Hi @dloszews,

if you index a log before in an Indexer and then in another one (also in Cloud), you ingest this log twice and pay twice the license!

For this reason the correct option is to use an Heavy Forwarder that has all the features of an Indexer but it doesn't index data so you don't pay it twice.

I don't understand what you mean that using an HF is more Network intensive, it's the same thing because you're sending the same data from primary (Indexer or HF) to the Cloud.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...