Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Role of Heavy Forwarder between UF and Indexer

VijaySrrie
Builder
‎12-18-2021 08:56 PM

Hi,

Indexer can do Parsing and Indexing then why do we use HF between UF and Indexer?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2021 10:38 PM

When you introduce a HF layer in your environment, you offload all the ingestion-phase work, except the actual indexing onto HF's. So your indexers don't have to bother with listening for HEC events, doing time extraction, indexed field extractions, ingest-time evals.This leaves your indexers for the sole purpose of indexing and searching.

Additionally, there are apps which do not run on UF's but need indexer or HF. These are typically apps running some scripted/modular inputs. Running them on indexers would add unnecessary asymmetrical load if you ran them on a single indexer in a cluster.

So as your environment grows introducing a HF layer has its pros.

EDIT: Oh, and one more thing. Two actually.

If you have an intermediate load-ballancing forwarder layer you don't have to update your outputs on UF's when you grow "sideways" adding new indexers. It's annoying especially if you don't manage UF's with deployment server. You're more likely to need another indexer or two than new HF's.

And if if you offload most (if not all) ingest-time apps to HF, you don't have to restart your indexers if you have to change something in them.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2021 10:38 PM

When you introduce a HF layer in your environment, you offload all the ingestion-phase work, except the actual indexing onto HF's. So your indexers don't have to bother with listening for HEC events, doing time extraction, indexed field extractions, ingest-time evals.This leaves your indexers for the sole purpose of indexing and searching.

Additionally, there are apps which do not run on UF's but need indexer or HF. These are typically apps running some scripted/modular inputs. Running them on indexers would add unnecessary asymmetrical load if you ran them on a single indexer in a cluster.

So as your environment grows introducing a HF layer has its pros.

EDIT: Oh, and one more thing. Two actually.

If you have an intermediate load-ballancing forwarder layer you don't have to update your outputs on UF's when you grow "sideways" adding new indexers. It's annoying especially if you don't manage UF's with deployment server. You're more likely to need another indexer or two than new HF's.

And if if you offload most (if not all) ingest-time apps to HF, you don't have to restart your indexers if you have to change something in them.

Reply
Solved! Jump to solution

Roy_9
Motivator
‎12-18-2021 10:31 PM

@VijaySrrie If you want to filter out the logs before even writing those to the indexers, HF will be a great option and it will be saving your license as well on your ingestion amounts.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2021 10:40 PM

License is counted based on data written to _indexes_, not indexers. You can reroute events to nullqueue on indexer if you don't have HF's.

0 Karma
Reply
Solved! Jump to solution

Roy_9
Motivator
‎12-18-2021 10:44 PM

Yup indexes, it was a typo.

Thanks for correcting.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...