Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Heavy Forwarder queue saturation for sending logs to Universal Forwarders

jeremieQuiviger
New Member
yesterday

Hello, 

I recently had to deploy a Heavy Forwarder in my infrastructure in order to perform transformations using a custom app. The current flow is as follows :

UF -> Heavy Forwarder relay -> Universal Forwarder relay -> Indexers

I am now observing a queue full issue on all Heavy Forwarders, while the queues on the next Universal Forwarders relay remain free.

I am therefore questioning the suitability of this architecture. I would like to know whether the Heavy Forwarder is still supposed to be at the end of the log flow, sending data directly to the Indexers, or if it can be positioned upstream of a Universal Forwarder that relays the data to the indexers.

Could this intermediate layer of Universal Forwarder be the cause of the queue saturation?

Thank you in advance for your help.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 hours ago

Well... Technically, this setup should generally work although it is not officially supported and if my memory serves me right there can be some issues around useACK.

@gcusello 's hint about thruput limits might be the right path. The thing is the thruput processor comes _before_ the ingestion pipeline (at least that's how I read the limits.conf spec file) so your input would get throttled but still you'd have empty queues "inside" the forwarder.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
yesterday

Hi @jeremieQuiviger ,

why are you using another UF after the HF, you can use the HF for parsing and relay.

Anyway, did you checked the throughtput through the UFs? by default they have 256 kb, instead HF is unlimited.

The best solution is to replace the UF relay with an HF.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...