Getting Data In

What is the server role of heavy forwarder and indexers in cluster?

dkrichards16
Path Finder

In the monitoring console what is the best practice of server role for heavy forwarders? I used Indexer but not sure if there is a better suit for those? Our heavy forwarder will be the only indexer in the overview page because according to the docs for index clusters only add the search head master as a search peer? Could someone please confirm these are both accurate?

Labels (2)
0 Karma

woodcock
Esteemed Legend

Only assign the role of Indexer if it is a search peer. And if it is an Indexer, you SHOULD NOT be using it as a Heavy Forwarder. it should be EITHER one or the other role. If you are doing both roles on a single server, get another server and split those roles.

0 Karma

dkrichards16
Path Finder

Okay thanks. The MC doesn't have an option for heavy forwarder as a server role. Should I leave it blank? Also, we are using the heavy forwarder to bridge between two splunk instances on different networks and the heavy forwarder is on a dmz. Is it better to send the internal logs to the receiving Splunk location's MC or the MC on the forwarding side's Splunk?

0 Karma

woodcock
Esteemed Legend

If you give it the Indexer role, then all of your Indexer-based views will include that server and throw off the numbers. Using HF in DMZ is definitely a valid reason to have HF. I would assign it the role Heavy Forwarder even through it is not used anywhere.

0 Karma

joesrepsolc
Communicator

How can you assign it that role though? "Heavy Forwarder" is not a selectable option. Or are you doing this in a conf file regardless? Just want to be clear. Thanks.

0 Karma

jotne
Builder

This still has not been solved in 2024.  I do mess a Heavy Forwarder group/tag as well.  Indexer group should only contain indexers, but we now have the HF in that group as well.

0 Karma

dkrichards16
Path Finder

Also, to turn on internal logs. Is it better to add the heavy forwarder to the monitoring console on the receiving side or the sending side. I'm currently working in the sending side and not sure if I can force the internal logs to go to an internal source and not be forwarded with everything else?

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...