Hi,
As we begin to roll-out hundreds and thousands of universal forwarders, I was wondering if it made sense to create a layer of heavy forwarders, to take some load off the indexers. Has anyone done this? Does it make sense?
I will have multiple indexers, but I also want to do whatever is possible to reduce the load on the indexers.
I recently had this discussion, but it was more around using regional heavy forwarders that feed in to a central indexer. We had existing heavy forwarders for syslog collection, so had to decide whether or not to send universal forwarder data towards them, or direct to the indexer.
Pros of using HF / cons of not using HF:
Pros of not using HF / cons of using HF:
Can it be done? Yes. Should it? That's entirely up to you, and hopefully this helps you ask the right questions for your scenario.
What about having multiple indexers to share the load? http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Setuploadbalancingd