Installation

Protocol Uses for SPLUNK Universal/Heavy Forward

SplunkDash
Builder

Hello,

 I went through some of the on-line resources, to have a clear idea on what Protocols SPLUNK UF/HF uses to send data/events to SPLUNK indexer. But I couldn't get any clear ideas. Any help/info on what protocol UF/HF uses ....would be highly appreciated. Thank you so much.

 

Labels (2)
Tags (1)
0 Karma
1 Solution

gcusello
Legend

Hi @SplunkDash,

Very quickly:

Splunk to Splunk protocol is a way to communicate between Splunk Servers optimized for Splunk data excange and gives many features e.g.: Fail over, load balancing, encryption, compression, caching, etc...,

HEC is a way to send data to Splunk from scripts using http/https messages.

There are many differences, between Splunk to Splunk protocol and HEC, and my hint is to always use (obviously when possible) use Splunk Forwarders, for the above advantages (Fail over, load balancing, encryption, compression, caching, etc...).

When you cannot use Forwarders (e.g. appliances), you can use syslog (TCP or UDP), when you have scripts, you can use HEC.

Ciao.

Giuseppe

View solution in original post

gcusello
Legend

Hi @SplunkDash,

connection between HFs and IDXs uses https protocol.

You can use a self signed or a third parties certificates.

Ciao.

Giuseppe

 

0 Karma

SplunkDash
Builder

Hello,

Thank you so much for your info. I have a couple of questions to better understanding..... in related to that:

1. What is SPLUNK to SPLUNK Protocol ...one of the on-line resources is talking a little about it and 2. If UF/HF uses HTTP protocols...then what are the differences between using SPLUNK HEC event collector protocol and UF/HF. Thank you again.  

0 Karma

gcusello
Legend

Hi @SplunkDash,

Very quickly:

Splunk to Splunk protocol is a way to communicate between Splunk Servers optimized for Splunk data excange and gives many features e.g.: Fail over, load balancing, encryption, compression, caching, etc...,

HEC is a way to send data to Splunk from scripts using http/https messages.

There are many differences, between Splunk to Splunk protocol and HEC, and my hint is to always use (obviously when possible) use Splunk Forwarders, for the above advantages (Fail over, load balancing, encryption, compression, caching, etc...).

When you cannot use Forwarders (e.g. appliances), you can use syslog (TCP or UDP), when you have scripts, you can use HEC.

Ciao.

Giuseppe

PickleRick
Ultra Champion

Well, there can be different approaches to the topic of whether to use UF's or not (for example regarding manageability) but let's leave it for now.

What I want to point out is that fail-over and load-balancing is not a feature of the protocol itself but rather of how UF (and HF for that matter) handles connectivity. It's completely up to the forwarder to perform the connection-rotation. In fact, using external load-balancers with s2s protocol is - as far as I remember - not recommended and not supported.

So if you have direct visibility - for example - from your UF to all HF's or indexers you want to use - no problem, point your UF at the load-balancing group and let it manage its own connections. But if you'd like to have - for example - a single internet-facing IP on which you'd do load-balancing by means of some application LB or network-level LB - it's not supported. Might work, but might introduce unforseeable problems.