How to configure heavy forwarders as intermediate forwarders?


I would like to have six intermediate forwarders before indexers.Also i am interested to configure prasing on intermediate forwarders only.can some help me how to configuration.

I have done the basic configuration where i am facing parsing quees and tail reader error on IF and traffic is getting blocked.

can you please help me solve this problem

Labels (2)
0 Karma


Hi @shivanandbm,

as @richgalloway said, the number of Heavy forwarder is relevant only for performaces, how many final Forwarders have to send teir logs to the intermediate Forwarders?

Usually are used two Intermediate Forwarders (and they could be heavy or also Universal Forwarders) and if there's a queue issue on one of them it's better to give more resources than add a new one, but anyway, using six Intermediate Forwarders should be mandatory only having hundreds of thousands of other Forwarders!

The only situation to use six Intermediate Forwarders is that you have three segregated networks and you  have to put two of them in each of these networks.

Anyway, about configuration, you have to create an App, called e.g. TA_Forwarders, where there are only three files:

  • app.conf, contaning inormation about the app,
  • deploymentclient.conf containing the address of the Deployment Server,
  • outputs.conf, addressing the Intermediate heavy Forwarders,

and then deploy this app to all the final Forwarders that have to send their logs to the Indexers passing through the Intermediate HF.

Then you have to create another app, called e.g. TA_HF, containing the same files, but addressing the Indexers and then deploy to the Heavy Forwarders.

The correct question is: how to manage all these Forwarders (final and Intermediate)?

You have two solutions:

  • use one Deployment Server reachable by all the Forwarders (Final and Intermediate), it's the easiest solution but requires to open a connection between all the Forwarders (Intermediate and final) and the Deployment Server,
  • use a primary Deployment Server to manage the Heavy Forwarders and all the other Forwarders directly connected to Indexers and use one of the Heavy Forwarders od each segregated network as a secondary Deployment Server that manages the Forwarders of its network.

The second solution is just a little more complicated but prefereable.

I hope to have answered to your question and not enlarged you confusion!



0 Karma


Why do you want 6 intermediate forwarders?  IFs can impede performance and add complexity so they should be used only when necessary.

Parsing in a heavy forwarder is automatic so no configuration is needed other than installing TAs that know how to process the sourcetypes.  Once data is parsed by the IF, it is not parsed again.

Tell us more about the problem you are having.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...