Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

中間転送について (About intermediate transfer)

どらく
Explorer
‎08-25-2023 12:48 AM

I would like to know how to transfer data received from UniversalForwarder from HeavyForwarder to SplunkCloud. I would like to have a configuration like UF -> HF -> SplunkCloud.

I don't know about data transfer between UF and HF, but I don't know how to transfer that data to SplunkCloud.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2023 11:22 AM

To forward data from the UFs to the HFs, put the name or address of the HFs in an outputs.conf file on each UF.  See https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configuretheuniversalforwarder for more information. (Replace "Indexer" with "Heavy Forwarder" when reading the instructions.)

For sending from HF to Splunk Cloud, there is an app you must download from your Splunk Cloud search head.  Go to the "Universal Forwarder" app and click the green download button.  Install the downloaded app on the HFs.  Despite the name, the app can be used on either UFs or HFs.

Note, for better resiliency, consider having multiple HFs with each UF load balancing among them.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2023 11:22 AM

To forward data from the UFs to the HFs, put the name or address of the HFs in an outputs.conf file on each UF.  See https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configuretheuniversalforwarder for more information. (Replace "Indexer" with "Heavy Forwarder" when reading the instructions.)

For sending from HF to Splunk Cloud, there is an app you must download from your Splunk Cloud search head.  Go to the "Universal Forwarder" app and click the green download button.  Install the downloaded app on the HFs.  Despite the name, the app can be used on either UFs or HFs.

Note, for better resiliency, consider having multiple HFs with each UF load balancing among them.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

どらく
Explorer
‎08-27-2023 07:49 PM

Do I need to configure the data to be transferred at HF?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-28-2023 06:58 AM

No changes need to be made to the data.  Just configure the HF as described earlier.  there is an app you must download from your Splunk Cloud search head. Go to the "Universal Forwarder" app and click the green download button. Install the downloaded app on the HFs. Despite the name, the app can be used on either UFs or HFs.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-25-2023 11:30 AM

It is also worth noting that HFs parse data and forward it as parsed to indexers whereas UF forward so called "cooked" data. It means that:

1) You will see much more network bandwidth usage when pushing from HF

2) Since HFs parse events and the events are _not_ parsed again on indexers (the only operation possible on indexers in that setup is Ingest Action) you'd need to do all parsing on HFs which means you'd need to distribute all your relevant addons to the HF.

If you need an intermediate forwarder but don't require parsing before sending the events to cloud, you can install an intermediate UF receiving data from several splunktp sources and forwarding them to the cloud.

Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...