Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Role of Heavy Forwarder between UF and Indexer

VijaySrrie
Builder
‎12-18-2021 08:56 PM

Hi,

Indexer can do Parsing and Indexing then why do we use HF between UF and Indexer?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2021 10:38 PM

When you introduce a HF layer in your environment, you offload all the ingestion-phase work, except the actual indexing onto HF's. So your indexers don't have to bother with listening for HEC events, doing time extraction, indexed field extractions, ingest-time evals.This leaves your indexers for the sole purpose of indexing and searching.

Additionally, there are apps which do not run on UF's but need indexer or HF. These are typically apps running some scripted/modular inputs. Running them on indexers would add unnecessary asymmetrical load if you ran them on a single indexer in a cluster.

So as your environment grows introducing a HF layer has its pros.

EDIT: Oh, and one more thing. Two actually.

If you have an intermediate load-ballancing forwarder layer you don't have to update your outputs on UF's when you grow "sideways" adding new indexers. It's annoying especially if you don't manage UF's with deployment server. You're more likely to need another indexer or two than new HF's.

And if if you offload most (if not all) ingest-time apps to HF, you don't have to restart your indexers if you have to change something in them.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2021 10:38 PM

When you introduce a HF layer in your environment, you offload all the ingestion-phase work, except the actual indexing onto HF's. So your indexers don't have to bother with listening for HEC events, doing time extraction, indexed field extractions, ingest-time evals.This leaves your indexers for the sole purpose of indexing and searching.

Additionally, there are apps which do not run on UF's but need indexer or HF. These are typically apps running some scripted/modular inputs. Running them on indexers would add unnecessary asymmetrical load if you ran them on a single indexer in a cluster.

So as your environment grows introducing a HF layer has its pros.

EDIT: Oh, and one more thing. Two actually.

If you have an intermediate load-ballancing forwarder layer you don't have to update your outputs on UF's when you grow "sideways" adding new indexers. It's annoying especially if you don't manage UF's with deployment server. You're more likely to need another indexer or two than new HF's.

And if if you offload most (if not all) ingest-time apps to HF, you don't have to restart your indexers if you have to change something in them.

Reply
Solved! Jump to solution

Roy_9
Motivator
‎12-18-2021 10:31 PM

@VijaySrrie If you want to filter out the logs before even writing those to the indexers, HF will be a great option and it will be saving your license as well on your ingestion amounts.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2021 10:40 PM

License is counted based on data written to _indexes_, not indexers. You can reroute events to nullqueue on indexer if you don't have HF's.

0 Karma
Reply
Solved! Jump to solution

Roy_9
Motivator
‎12-18-2021 10:44 PM

Yup indexes, it was a typo.

Thanks for correcting.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...