Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

compression from a forwarder to an indexer

mfrost8
Builder
‎06-23-2010 09:38 PM

We are looking at deploying some Splunk lightweight forwarders to servers that are remote. As such, we're interested in reducing the network bandwidth required for the LWF's to transmit to the indexers. Our understanding is that the forwaders in question have more CPU available to them than they'd have bandwidth so compression potentially makes sense.

Currently we do no compression between forwarders and indexers.

I see the 'compressed' option in outputs.conf is how you'd turn this on on the forwarder side. However, according to the docs, it looks like you have to turn this on on the indexer's listener port as well.

I have a few questions.

1) I assume that this means that I can't somehow have my existing listener perform double-duty -- handling both compressed and uncompressed data. So I'd have to setup a second listener that handles only compressed traffic from forwarders.

2) I'm a little confused where this indexer listener gets configured. I don't see an option to turn on compression in the web interface. I grep'd around and it seems our existing listener settings are in etc/apps/search/local/inputs.conf. It looks like I'd configure the secondary listener with compression in this file (assuming I'm correct about needing a secondary listener for compressed traffic).

Thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-23-2010 11:17 PM

  1. You can just set up a second Splunk input port number on the indexer for compressed data. A forwarder would send to either the compressed listen port or the uncompressed one appropriately, but both would be on the same indexer.

  2. You have to configure this in the outputs.conf file on the forwarder and the inputs.conf file on the indexer. It is not in the GUI.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

fwilmot
Splunk Employee
Splunk Employee
‎11-03-2010 03:11 PM

http://answers.splunk.com/questions/6513/compressed-data-from-forwarder-to-indexer lists what your inputs.conf and outputs.conf might look like so you will know where to enable compression, and what the command syntax is.

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-23-2010 11:17 PM

  1. You can just set up a second Splunk input port number on the indexer for compressed data. A forwarder would send to either the compressed listen port or the uncompressed one appropriately, but both would be on the same indexer.

  2. You have to configure this in the outputs.conf file on the forwarder and the inputs.conf file on the indexer. It is not in the GUI.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...