Splunk Cloud Platform

Splunk Cloud - Deploying a Heavy Forwarder

avajax0
Explorer

Greetings,

 

At my current company, we're using Splunk Cloud and I'm looking to deploy a new Heavy Forwarder to forward data along to the Cloud instance. The question is, what's the appropriate way to do this?

From Splunk Cloud, I downloaded the Universal Forwarder package from "Apps > Universal Forwarder". I also downloaded the Credential package from there as well. Both have been installed on an internal host (which is intended to be the Heavy Forwarder) and I'm now forwarding data over to Splunk as expected. The only issue is that Splunk is picking it up as a Universal Forwarder when looking at the Cloud Monitoring Console (which makes sense being that I installed the Universal Package). But what I'm really looking to do is deploy a Heavy Forwarder.

From what I've read thus far, it looks like I have to install a full Splunk Enterprise instance on the internal host and enable forwarding on it to make it a Heavy Forwarder. How would I best be able to do this, and would I need an additional License do do so? 

I'd like to manage the .conf files on the forwarder and create custom field extractions and all that good stuff from the host directly, rather than doing that through the Splunk Cloud UI.

 

Looking for some additional insight. Thank you in advance!

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The difference between a Heavy Forwarder and a Universal Forwarder is the code that you install.  The former is "Splunk" and the latter is "Splunk Universal Forwarder".

In both cases, you install the "Universal Forwarder" app from Splunk Cloud to enable forwarding to your cloud stack.

Also in both cases, the forwarder is managed by your on-prem Deployment Server, not by anything in Splunk Cloud.

Are you sure you need a heavy forwarder?  You can manage .conf files yourself by putting them into an app and then uploading that app to Splunk Cloud.  Doing that means fields are extracted by the indexers and data is forwarded by a light-weight UF, which should make for better performance.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Yes, you need a normal Splunk Enterprise instaler. Whereas UF is a separate software package, HF is just your "normal" Splunk server, but it's not doing local indexing but only forwarding the pre-parsed data to the indexers. You don't need additional licences just because you add a HF. You might need it if you're going to exceed your ingest limits (if you're on ingest licensing) but it's in no way directly connected to just adding a HF.

Oh, and remember that you won't do search-time field extractions on HF. Those you do only on SH level. HF's are only for ingesting data. So you might parse out some indexed fields using HF's but no search-time parsing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The difference between a Heavy Forwarder and a Universal Forwarder is the code that you install.  The former is "Splunk" and the latter is "Splunk Universal Forwarder".

In both cases, you install the "Universal Forwarder" app from Splunk Cloud to enable forwarding to your cloud stack.

Also in both cases, the forwarder is managed by your on-prem Deployment Server, not by anything in Splunk Cloud.

Are you sure you need a heavy forwarder?  You can manage .conf files yourself by putting them into an app and then uploading that app to Splunk Cloud.  Doing that means fields are extracted by the indexers and data is forwarded by a light-weight UF, which should make for better performance.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

I forgot to mention that you *will* need a license for your HF to enable the necessary features.  Contact Splunk Support for that.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Sorry for the confusion but as far as I remember you don't need additional license in terms of additional paid functionalities, right? It's just a "technical" license to enable functionalities on the server.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The license is not for paid functionality.  It's to keep the HF from reverting to a Free license after 30 days and all which that entails.

---
If this reply helps you, Karma would be appreciated.

avajax0
Explorer

So to be clear, it's not an additional paid license to deploy a Heavy Forwarder, but we still have to contact Splunk Support to get another license for the Heavy Forwarder that way it doesn't revert back to a free license after 30 days? In other words, it doesn't cost any more? Truthfully, I'll probably continue with the current setup of using a Universal Forwarder to push data along to Splunk Cloud and upload my packaged apps there when custom field extractions and that stuff is needed. I'm asking now for sake of clarity. I run a test/dev Splunk instance via the Splunk docker image for testing and building custom apps. I'll use the "Splunk Add-on Builder" app to build and package custom apps for installation in Splunk Cloud where necessary.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the HF license is free.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...