Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

High Availability for Heavy forwarder configuration?

karthikeyan_k14
New Member
‎06-19-2017 08:51 PM

Current setup of Splunk Instance is 10 UF---->2HF---->3IDX,
In HF for load balance we go with config of autoLB with frequency. has anyone can help for failover or HA mode at HF configuration?..how it will be work with BCP if one of the HF hardware or path fails?

UF------>}HF1
UF1------->} HF1
UF--------}HF2
UF1----->HF2

0 Karma
Reply

adonio
Ultra Champion
‎06-24-2017 07:24 PM

hello there,
@jplumsdaine22 comments are very valid, and i recommend to follow his lead.
straight out, there is no real HA configuration for HF.
with that being said, you can achieve some sort of continuance / semi HA configuration with your architecture by configuring the Universal Forwarders to auto load balance to both HF. now if one HF is down, the Universal Forwarders will send data to the HF that is still up.
outputs on UF has to have both HF on all UF, in contrary to your diagram in the question
hope it helps

0 Karma
Reply

jplumsdaine22
Influencer
‎06-20-2017 06:59 AM

Is there a particular reason you're using the HFs at all? It is best practice to have NO intermediate tier between the UFs and Indexers.

0 Karma
Reply

AaronMoorcroft
Communicator
‎09-25-2017 03:48 AM

The HFs would be needed depending on the size of the environment, for example having 1000 servers all sending directly to the Indexer would not be a great idea as this would impact on performance, especially if the Indexer is also being used as a Search Head / Deployment Server / License Master and so on. In a smaller setup yes that would be best practice.

Having a HF installed on a system for example to split up sites so maybe a London site and a Birmingham site, in that situation you would have HFs installed and I could then see a requirement for HA, I guess in this situation you would configure the UF to send logs to both HFs for that one site and if one goes down the logs still are being routed via the other. if that site went down then you would have no logging.

The problem you then have is that you would potentially be doubling up on the logs being sent so some duplication would then take your license up, I don't know so much about that side of things but i'm sure there is a way of dropping duplicate logs.

0 Karma
Reply

karthikeyan_k14
New Member
‎06-20-2017 07:02 AM

yes, its needed for to filter and routing few event logs before indexer.

0 Karma
Reply

jplumsdaine22
Influencer
‎06-20-2017 08:02 AM

You probably know already , but just in case you don't: All that filtering & routing can probably all be done without the HFs. I collect data from thousands of windows UFs without any heavy forwarders - filtering is all done at the index layer.

There's a good blog post explaining why HFs are not so great here:

https://www.splunk.com/blog/2016/12/12/universal-or-heavy-that-is-the-question/

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...