Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

universal forwarder

hazem
Path Finder
‎03-04-2025 06:37 AM

Dear all,

 

I have the following outputs.conf configuration:

[tcpout] defaultGroup = my_indexers
 
[tcpout:my_indexers] server = mysplunk_indexer1:9997, mysplunk_indexer2:9997
 
[tcpout-server://mysplunk_indexer1:9997]
 

Could you please clarify the Universal Forwarder (UF) behavior in the event that mysplunk_indexer1 goes down?

  • Will the UF continue sending data to both indexers despite mysplunk_indexer1 being down?
  • Or will the UF detect that mysplunk_indexer1 is unreachable and stop forwarding traffic to it?
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-04-2025 07:35 AM

Hi @hazem ,

at first the last row isn't mandatory, it's an old configuration and if you put it, you should add one row for each server.

Anyway, if you configure more than one Indexer, lofs are forwarded to all the Indexers changing destination every 30 seconds using a round robin algorithm for the load balancing.

Then, if an Indexers isn't available, the Forwarders tries with another one; id no Indexers are available it saves logs on a local cache and forward them when the connection is established again.

Ciao.

Giuseppe

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-04-2025 06:43 AM

In terms of further breakdown to the previous answer: 

  1. Automatic Failover: If mysplunk_indexer1 goes down, the UF will detect the failure and automatically stop sending data to that indexer.
  2. Continued Forwarding to Available Indexers: The UF will continue forwarding data to mysplunk_indexer2:9997. The forwarder does not stop forwarding entirely but rather distributes the load among the remaining available indexers.
  3. Retry Logic: The UF will periodically attempt to reconnect to mysplunk_indexer1. Once it becomes available again, data will resume being sent to it.
  4. Load Balancing (if applicable): If both indexers were previously receiving traffic in a load-balanced manner (e.g., using autoLBFrequency), the UF would shift all the load to the remaining functional indexer.

Also, you might want to consider the following:

 

  • If no indexers are available, events will be queued locally in memory (or on disk if useAck is enabled).
  • Ensure you configure proper connectionTimeout and autoLBFrequency settings to optimize failover behavior.
  • If useACK=true (for reliable delivery), the UF will queue events until an indexer acknowledges them.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-04-2025 06:42 AM

Hi @hazem 

Will the UF continue sending data to both indexers?
No, it will only send data to the available indexer (mysplunk_indexer2)

Will the UF detect that mysplunk_indexer1 is unreachable?
Yes, the UF will detect the unreachability and automatically adjust its forwarding strategy

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...