Greetings,
At my current company, we're using Splunk Cloud and I'm looking to deploy a new Heavy Forwarder to forward data along to the Cloud instance. The question is, what's the appropriate way to do this?
From Splunk Cloud, I downloaded the Universal Forwarder package from "Apps > Universal Forwarder". I also downloaded the Credential package from there as well. Both have been installed on an internal host (which is intended to be the Heavy Forwarder) and I'm now forwarding data over to Splunk as expected. The only issue is that Splunk is picking it up as a Universal Forwarder when looking at the Cloud Monitoring Console (which makes sense being that I installed the Universal Package). But what I'm really looking to do is deploy a Heavy Forwarder.
From what I've read thus far, it looks like I have to install a full Splunk Enterprise instance on the internal host and enable forwarding on it to make it a Heavy Forwarder. How would I best be able to do this, and would I need an additional License do do so?
I'd like to manage the .conf files on the forwarder and create custom field extractions and all that good stuff from the host directly, rather than doing that through the Splunk Cloud UI.
Looking for some additional insight. Thank you in advance!
The difference between a Heavy Forwarder and a Universal Forwarder is the code that you install. The former is "Splunk" and the latter is "Splunk Universal Forwarder".
In both cases, you install the "Universal Forwarder" app from Splunk Cloud to enable forwarding to your cloud stack.
Also in both cases, the forwarder is managed by your on-prem Deployment Server, not by anything in Splunk Cloud.
Are you sure you need a heavy forwarder? You can manage .conf files yourself by putting them into an app and then uploading that app to Splunk Cloud. Doing that means fields are extracted by the indexers and data is forwarded by a light-weight UF, which should make for better performance.
Yes, you need a normal Splunk Enterprise instaler. Whereas UF is a separate software package, HF is just your "normal" Splunk server, but it's not doing local indexing but only forwarding the pre-parsed data to the indexers. You don't need additional licences just because you add a HF. You might need it if you're going to exceed your ingest limits (if you're on ingest licensing) but it's in no way directly connected to just adding a HF.
Oh, and remember that you won't do search-time field extractions on HF. Those you do only on SH level. HF's are only for ingesting data. So you might parse out some indexed fields using HF's but no search-time parsing.
The difference between a Heavy Forwarder and a Universal Forwarder is the code that you install. The former is "Splunk" and the latter is "Splunk Universal Forwarder".
In both cases, you install the "Universal Forwarder" app from Splunk Cloud to enable forwarding to your cloud stack.
Also in both cases, the forwarder is managed by your on-prem Deployment Server, not by anything in Splunk Cloud.
Are you sure you need a heavy forwarder? You can manage .conf files yourself by putting them into an app and then uploading that app to Splunk Cloud. Doing that means fields are extracted by the indexers and data is forwarded by a light-weight UF, which should make for better performance.
I forgot to mention that you *will* need a license for your HF to enable the necessary features. Contact Splunk Support for that.
Sorry for the confusion but as far as I remember you don't need additional license in terms of additional paid functionalities, right? It's just a "technical" license to enable functionalities on the server.
The license is not for paid functionality. It's to keep the HF from reverting to a Free license after 30 days and all which that entails.
So to be clear, it's not an additional paid license to deploy a Heavy Forwarder, but we still have to contact Splunk Support to get another license for the Heavy Forwarder that way it doesn't revert back to a free license after 30 days? In other words, it doesn't cost any more? Truthfully, I'll probably continue with the current setup of using a Universal Forwarder to push data along to Splunk Cloud and upload my packaged apps there when custom field extractions and that stuff is needed. I'm asking now for sake of clarity. I run a test/dev Splunk instance via the Splunk docker image for testing and building custom apps. I'll use the "Splunk Add-on Builder" app to build and package custom apps for installation in Splunk Cloud where necessary.
Yes, the HF license is free.