Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Intermediate Heavy Forwarder setup: How to view what exactly is going into these queues, and where to chase the problem?

mxanareckless
Path Finder
‎07-06-2020 05:19 PM

There doesn't seem to be a lot of documentation or discussions online which cover the setup of an intermediate, heavy forwarder.

We need this for the following reasons:

* to scrub/anonymize personal information from data coming from universal forwarders

* to reduce load on indexing server, whose parsing queues are consistently full

Here is the deployment:

[uf] > [hf] > [indexer]

Does anybody have example .conf files that would support this? So far, mine look as such:

Universal forwarder's outputs.conf:

[tcpout]
defaultGroup = pspr-heavy-forwarder
[tcpout:pspr-heavy-forwarder]
disabled = false
server = 192.168.60.213:9997

Heavy forwarder's outputs.conf:

[tcpout]
defaultGroup = central-indexer
indexAndForward = false
sendCookedData = true
useACK = true

[tcpout:central-indexer]
disabled = false
server = 192.168.60.211:9997

Indexer's inputs.conf:

[default]
queue = indexQueue

I've directed all universal forwarders to send to the intermediate forwarder, but the main indexer's still showing saturated queues. Local monitoring is limited to Splunk's own logs. Is there a way I can view what exactly is going into these queues, so I know where to chase the problem?

full.PNG

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2020 11:47 PM

Hi @mxanareckless ,

I'm havinbg a problem similat to your but related to the syslog sending to a third party that you haven't!

there isn't a special configuration on the Heavy Forwarder and you can use the default settings because the limits to bandwidth occupation aren't present in HFs.

There's only two hints I can give you:

  • at first check the throughtput on storage: splunk requires at least 800 (or more) IOPS on disks, how many IOPS have your storage?
  • then check the resources on your Indexers (especially CPUs!): Splunk requires at least 12 CPUs on Indexers and more if you have to index many logs and you have many scheduled searches.

You can measure IOPS using a tool like Bonnie++.

Disks usually are the bottleneck in Splunk architectures.

Then check the resources (always CPUs) on the HFs: I use HFs only if I need to concentrate flows , never to move some jobs from the Indexers to another system, I prefer to give more resources to the Indexers.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

kundeng
Path Finder
‎01-30-2023 04:56 PM

 The  default queue in inputs.conf was set to  IndexQueue?   So all your inputs by default, unless specified otherwise will SKIP parsing queues on HF.  That would not solve your problem of parsing queue getting full issue on your indexers.  

so perhaps you need to remove that setting, but explicitly set queue=IndexQueue on sourcetypes that do not require scrubbing etc.  

 

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-07-2020 12:41 PM

Hi

unfortunately I haven’t our configurations on my hands, but those are really simple. 

UF: 

  • point To IHF(s) 
  • useACK = true

IHF:

  • normal input for listening UFs
  • output points to CM with IDX discovery or directly to indexers
  • useACK = true
  • if needed you could add pipelines here

IDX:

  • normal input (without any queue definitions)

Please remember if/when you need to do any props, transforms etc. changes those must be done on the first non UF node. And only indexing queue parts can do on indexer nodes!


r. Ismo 

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-07-2020 12:44 PM
And one way to monitor what are happening on those IHFs is add those ass IDX to MC with own group.
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2020 11:47 PM

Hi @mxanareckless ,

I'm havinbg a problem similat to your but related to the syslog sending to a third party that you haven't!

there isn't a special configuration on the Heavy Forwarder and you can use the default settings because the limits to bandwidth occupation aren't present in HFs.

There's only two hints I can give you:

  • at first check the throughtput on storage: splunk requires at least 800 (or more) IOPS on disks, how many IOPS have your storage?
  • then check the resources on your Indexers (especially CPUs!): Splunk requires at least 12 CPUs on Indexers and more if you have to index many logs and you have many scheduled searches.

You can measure IOPS using a tool like Bonnie++.

Disks usually are the bottleneck in Splunk architectures.

Then check the resources (always CPUs) on the HFs: I use HFs only if I need to concentrate flows , never to move some jobs from the Indexers to another system, I prefer to give more resources to the Indexers.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

mxanareckless
Path Finder
‎07-10-2020 09:34 AM

@gcusello 

 

I did suspect this was an NFS issue, as the bottleneck first appeared after I migrated the indexes over. Turns out Splunk was using the slower backup pool, and not the iops-optimized pool. Thanks for pointing me in the right direction!

0 Karma
Reply
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...