Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert my indexer into a heavy forwarder?

Bakerton
New Member
‎09-20-2022 11:34 AM

Long story short, I was indexing my own data for years now and recently started forwarding up stream to another cluster. I don't need to index on my network anymore and just want to have my indexer serve as a heavy forwarder so I don't have to reconfigure 600+ endpoints. Is this feasible or will I break lots of things?

Thanks!

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 12:04 PM

The main difference between an indexer and a HF is the HF has an outputs.conf file.

Keep in mind that once the indexer becomes a HF any data stored on it becomes unreachable to the upstream cluster.  The HF should still be able to search it, however, but I have no experience with that setup.  It may be possible to add the HF as a search peer to the upstream cluster, but I've not tried it and don't of any possible hazards.

I also should point out that having a single intermediate forwarder (IF) can be problematic.  It will be a single point of failure that will prevent all of your data from reaching the indexer.  It can lead to an uneven distribution of events across the indexers, which will affect search performance.  A would be better to use the deployment server to push a new outputs.conf file to the UFs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-21-2022 02:05 AM

Hi

As @richgalloway said, it quite easy to switch IDX to HF, but can you search that old data or not is interesting question. I haven't try it as usually it's much easier and cheaper (you probably have lot of disk space used in indexer which are not needed on HF and probably more resources than it's needed after switch over?) to add a new HF than convert IDX to HF. Basically just install a new instance then switch those IP's to then new one and add that old as a search peer to the new SH(s). 

Of course you can and actually should add HF to search peer to your MC to see what happening there, but add HF as "normal" search peer to SH maybe not the best option?

If you still want to convert your indexer as a HF then just add a outputs.conf which sends all events to the new indexer(s) as described here: https://docs.splunk.com/Documentation/Splunk/9.0.1/Indexer/Forwardmanagerdata

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...