Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I convert my indexer into a heavy forwarder?

Bakerton
New Member
‎09-20-2022 11:34 AM

Long story short, I was indexing my own data for years now and recently started forwarding up stream to another cluster. I don't need to index on my network anymore and just want to have my indexer serve as a heavy forwarder so I don't have to reconfigure 600+ endpoints. Is this feasible or will I break lots of things?

Thanks!

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 12:04 PM

The main difference between an indexer and a HF is the HF has an outputs.conf file.

Keep in mind that once the indexer becomes a HF any data stored on it becomes unreachable to the upstream cluster.  The HF should still be able to search it, however, but I have no experience with that setup.  It may be possible to add the HF as a search peer to the upstream cluster, but I've not tried it and don't of any possible hazards.

I also should point out that having a single intermediate forwarder (IF) can be problematic.  It will be a single point of failure that will prevent all of your data from reaching the indexer.  It can lead to an uneven distribution of events across the indexers, which will affect search performance.  A would be better to use the deployment server to push a new outputs.conf file to the UFs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-21-2022 02:05 AM

Hi

As @richgalloway said, it quite easy to switch IDX to HF, but can you search that old data or not is interesting question. I haven't try it as usually it's much easier and cheaper (you probably have lot of disk space used in indexer which are not needed on HF and probably more resources than it's needed after switch over?) to add a new HF than convert IDX to HF. Basically just install a new instance then switch those IP's to then new one and add that old as a search peer to the new SH(s). 

Of course you can and actually should add HF to search peer to your MC to see what happening there, but add HF as "normal" search peer to SH maybe not the best option?

If you still want to convert your indexer as a HF then just add a outputs.conf which sends all events to the new indexer(s) as described here: https://docs.splunk.com/Documentation/Splunk/9.0.1/Indexer/Forwardmanagerdata

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...