Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk - Where is best to install heavy forwarder

Robertoing
Explorer
‎04-27-2022 01:13 AM

Hi to all,

my Splunk architecture consist of: 4 SH, 2 Indexer, 1 Deployment-Server (includes Cluster Master and Deployer).

 

I need to install an heavy forwarder but I don't have availables machines; where is better to install a second Splunk Enterprise instance (Heavy Forwarder)?

 

Thanks to all.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-27-2022 01:29 AM

Hi @Robertoing,

at first Deployment Server can be shared with other roles only if it has to manage less than 50 clients and never with the Master Node, how many clients have you in your perimeter?

Then, as @SinghK asked: why 4 Search Heads? how you defined them? usually in a SH Cluster they are three, you need four SHS if you have many users and scheduled searches.

Then about Heavy Forwarders, what you need them, what's their role?

Anyway it's usually better to have at least two HFs to avoid Single point of Failues, especially if you use them as concentrators of other Universal Forwarders or as syslog servers, the only exception is when you use an HF as a pull server for cloud environments extractions.

Ciao.

Giuseppe

0 Karma
Reply

SinghK
Builder
‎04-27-2022 01:16 AM

is it a specific requirement that you need 4 SH in your environment?

0 Karma
Reply

Robertoing
Explorer
‎04-27-2022 01:23 AM

Hi @SinghK ,

 

Correct.
Now, I need to install an heavy forwarder like a second Splunk Enterprise instance in one of those machines (SH, Indexer, Deployment-server): what do you suggest?   

 

Thank you.

0 Karma
Reply

SinghK
Builder
‎04-27-2022 01:45 AM

Then you need a extra server there is no other way to deploy a HF or you can do is remove one of your SH and make it a Heavy Forwarder.  Thats all I can think of...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...