How to configure heavy forwarders as intermediate forwarders?

New Member

I would like to have six intermediate forwarders before indexers.Also i am interested to configure prasing on intermediate forwarders only.can some help me how to configuration.

I have done the basic configuration where i am facing parsing quees and tail reader error on IF and traffic is getting blocked.

can you please help me solve this problem

Labels (2)
0 Karma

Esteemed Legend

Hi @shivanandbm,

as @richgalloway said, the number of Heavy forwarder is relevant only for performaces, how many final Forwarders have to send teir logs to the intermediate Forwarders?

Usually are used two Intermediate Forwarders (and they could be heavy or also Universal Forwarders) and if there's a queue issue on one of them it's better to give more resources than add a new one, but anyway, using six Intermediate Forwarders should be mandatory only having hundreds of thousands of other Forwarders!

The only situation to use six Intermediate Forwarders is that you have three segregated networks and you  have to put two of them in each of these networks.

Anyway, about configuration, you have to create an App, called e.g. TA_Forwarders, where there are only three files:

  • app.conf, contaning inormation about the app,
  • deploymentclient.conf containing the address of the Deployment Server,
  • outputs.conf, addressing the Intermediate heavy Forwarders,

and then deploy this app to all the final Forwarders that have to send their logs to the Indexers passing through the Intermediate HF.

Then you have to create another app, called e.g. TA_HF, containing the same files, but addressing the Indexers and then deploy to the Heavy Forwarders.

The correct question is: how to manage all these Forwarders (final and Intermediate)?

You have two solutions:

  • use one Deployment Server reachable by all the Forwarders (Final and Intermediate), it's the easiest solution but requires to open a connection between all the Forwarders (Intermediate and final) and the Deployment Server,
  • use a primary Deployment Server to manage the Heavy Forwarders and all the other Forwarders directly connected to Indexers and use one of the Heavy Forwarders od each segregated network as a secondary Deployment Server that manages the Forwarders of its network.

The second solution is just a little more complicated but prefereable.

I hope to have answered to your question and not enlarged you confusion!



0 Karma


Why do you want 6 intermediate forwarders?  IFs can impede performance and add complexity so they should be used only when necessary.

Parsing in a heavy forwarder is automatic so no configuration is needed other than installing TAs that know how to process the sourcetypes.  Once data is parsed by the IF, it is not parsed again.

Tell us more about the problem you are having.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...