Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to prioritize what data is forwarded from a heavy forwarder? (ex: security data first, then non-security data)

dkeck
Influencer
‎10-21-2015 01:45 AM

Hi everybody,

I'm new in Splunk, so be gentle, please.

So that's the scenario:

I have a Splunk Heavy forwarder, and I want to know if it is possible to prioritize the data which is forwarded to the indexer(s)?

For example: I have security relevant log data and I want this data to be forwarded first, every time. So that non-security relevant data is held back until the security relevant data is indexed.

Is that possible and how?

If possible, looking for solutions which are built-in to out-of-box Splunk, add-ons etc. I can't use another software for it since the system Splunk is running on is already pretty limited.

Thank you

David

Reply
1 Solution
Solved! Jump to solution
Solution

ryandg
Communicator
‎04-18-2016 09:19 AM

The only answer I have is one that you won't really benefit from. We had Splunk Pro Services visit us and one of the questions that came up was this exact question. Splunk does not have any prioritization ability according to them, hopefully someone will correct me if this was wrong but that is what we were told.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryandg
Communicator
‎04-18-2016 09:19 AM

The only answer I have is one that you won't really benefit from. We had Splunk Pro Services visit us and one of the questions that came up was this exact question. Splunk does not have any prioritization ability according to them, hopefully someone will correct me if this was wrong but that is what we were told.

0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎10-26-2015 04:20 AM

Nobody has an answer? too bad.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎10-27-2015 06:28 PM

What problems are you experiencing that you feel needs to be solved with prioritization of certain logs/data over other logs/data? Are you having problems out of your indexer, since it's already at the edge of overloaded?

But a thought, not perfect but at least something - if you ran two copies of Splunk as forwarders, you could prioritize the processes themselves, cranking one way down to "idle" time processing and the other leaving at normal. That could make a minor change in how each would behave.

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎10-29-2015 12:36 AM

Hi, allow me to chime in. The problem is that our bandwidth is very limited (also entirely unavailable for extended time periods), thus we'd like to be able to send the priority data first as soon as we have a (stable) connection. Only after that has been sent should the less important data be forwarded.
We'll be using indexer acknowledgement, so this could also be applied at the forwarding buffer level: we'd like to keep more of the important data than of the less important data queued on the forwarder, and if needed we'd also replace the queued unimportant data with the important data (we are really limited in this environment, otherwise we'd simply keep everything on the HF).

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎10-29-2015 05:03 AM

Thanks, that explanation of why you need it will probably help folks trying to answer this!

0 Karma
Reply
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...