Getting Data In

How does licensing work for a Splunk Heavy Forwarder and Indexer?

travipudi
New Member

Hi,

Need a little insight on how licensing for a Heavy forwarder works:

We are planning a solution for Client where we might have one instance of Heavy forwarders and two instances of indexers per environment with one Splunk Enterprise instance.

And as per my understanding, we can use the Splunk Enterprise instance as heavy forwarder. Now the question is to which instance do we need to procure the license and need to apply it?

And how can indexers be configured to have one license instead of multiple instances?

Thanks,

Ram

0 Karma
1 Solution

lguinn2
Legend

Only the indexers will consume license, because license is based on the amount of data that Splunk ingests each day.
However, it is best if all of the heavy forwarders, search heads, etc. also have access to a license, as this unlocks certain Enterprise features. (Deployment Server / Forwarder Management is an example of such a feature.)

For any distributed environment, you should set up a single Splunk Enterprise instance as a license master; this is where you will install your Splunk licenses. All the other servers (except the universal forwarder) should be license slaves of this master.

Why are you using the heavy forwarder at all? The best practice is to use universal forwarders whenever possible.

Here is more information about setting up a license master: Configure a license master. (Note that you want to configure a central license master, not a standalone license master.)

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@travipudi - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

skoelpin
SplunkTrust
SplunkTrust

The heavy forwarder has the ability to pre-parse your data but not index it.. The Splunk license is based off how much data you index per day. So you will need to install the license on the indexer(s).

To answer the second part of your question, you will need to create a license pool by stacking your licenses together and add your indexers to the license pool.

Create New License Pool
https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Createalicensepool

Add Indexers to License Pool
https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Addanindexertoalicensepool

Now the gray area
You can make the Heavy Forwarder a slave to the license master which will give it full Splunk enterprise capabilities (since a heavy forwarder is a full Splunk instance with features disabled)

0 Karma

lguinn2
Legend

Only the indexers will consume license, because license is based on the amount of data that Splunk ingests each day.
However, it is best if all of the heavy forwarders, search heads, etc. also have access to a license, as this unlocks certain Enterprise features. (Deployment Server / Forwarder Management is an example of such a feature.)

For any distributed environment, you should set up a single Splunk Enterprise instance as a license master; this is where you will install your Splunk licenses. All the other servers (except the universal forwarder) should be license slaves of this master.

Why are you using the heavy forwarder at all? The best practice is to use universal forwarders whenever possible.

Here is more information about setting up a license master: Configure a license master. (Note that you want to configure a central license master, not a standalone license master.)

0 Karma

travipudi
New Member

Thanks for the update,

@Iguinn

we are using Heavy forwarder in order reduce the maximum connections going to Enterprise Splunk since we have a firewall rules in between the logical Environments

if we use heavy forwarder and connect all the vm machine with app's which are with in the firewall, this reduces removing lot of firewall rules that we need to make changes to.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...