Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Indexer / Forwarder Acknowledgement explained

hrawat_splunk
Splunk Employee
Splunk Employee
‎08-07-2024 03:39 PM

If you use Splunk Enterprise or SplunkCloud, you can guard against loss of data when forwarding by enabling the indexer acknowledgment capability. With indexer acknowledgment, the forwarder will resend any data that the receiver does not acknowledge as "received".

You enable indexer acknowledgment on the forwarder, in the outputs.conf file.
See how acknowledgement works.
See how acknowledgement failure is handled.


However if the forwarder is restarted/stopped while waiting for indexer acknowledgment, in most of the cases unacknowledged data is not resend upon forwarder restart/start. That is because indexer acknowledgment is just an agreement  between the output processor and the target server.

 There are 4 major input types:

  1. File inputs(monitor/batch mode)
  2. Modular inputs
  3. Network inputs(TCP/UDP)
  4. HTTP inputs(http receiver endpoints/http event collector)

Only the file input in the monitor mode can resend data if the forwarder is restarted/stopped while waiting for indexer acknowledgment.

hrawat_splunk_0-1723069901155.png

 

Acknowledgement is sent back to the forwarder after replication factor is met. That means for rep factor 3, source indexer waits on acknowledgement from 2 replication target indexers.

Inputs on forwarders are not aware of the indexer acknowledgement process.

Latency increases when the target server is not an indexer as the intermediate tier will wait for acknowledgement before acknowledging back to edge forwarder.

For more information, see the outputs.conf spec file.

Labels (1)
Labels
Tags (2)
Reply

hrawat_splunk
Splunk Employee
Splunk Employee
3 weeks ago

You nailed it. You may want to check https://community.splunk.com/t5/Knowledge-Management/Splunk-Persistent-Queue/m-p/688223/highlight/tr...

Reply

gjanders
SplunkTrust
SplunkTrust
3 weeks ago

Persistent queue support for monitor inputs will be very useful once it's available.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
3 weeks ago

It may be worth adding that the acknowledgement option cannot protect against data loss a scenario where a forwarder is restarted while the remote endpoint is not available

To expand on this point, let's assume we have universal forwarder A, sending data to heavy forwarder B (and only HF B). (And then assume B connects to indexers)

If A is reading from a file and sending to B, if we shutdown B, and while B is unable to process data we restart A during this downtime of B, any "in memory" data is lost at this point as the memory buffer if flushed on shutdown.

The file monitor will re-read the portion of the file *after* the lost portion of the data.

 

This experiment is quite easy to setup in a development environment, the only point I'm adding is that (as advertised) the acknowledgement protects against intermediate data loss. It does not protect against data loss when the remote endpoint is down and the source is restarted.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...