- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Multisite Heavy forwarder connectivity to multisit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multisite Heavy forwarder connectivity to multisite UF- How do I need to set up the connection?
Hi Team,
Could you please clarify my doubt on connectivity between Heavy forwarder and Universal Forwarder. I have 2 site, Heavy forwarder and universal forwarder on both site. Do I need to connect the heavy forwarder on X site to universal forwarder on X site only or do I need to connect HF on X site to both X and Y site UFs.
There will be connectivity between both sites. Heavy forwarder are not connected to each other. they will be pushing data to indexers which are clustered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on your circumstances and needs. Using only local HFs can be desired if you have severely limited bandwidth between sites or some data security limitation. Using all HFs on the other hand removes SPOF and allows for better workload distribution.
So there is no sigle optimal solution for all possible cases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Well the first question is why are you connecting UF to hf is there a specific requirement as UF can connect directly to indexers or cluster.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want is to configure universal forwarder to send logs/data to heavy forwarders and do some filtering there, and then forward the logs to indexers from heavy weight forwarders.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then create a normal output.conf on uf and point it to hf and on hf create input similar to indexers
[Splunktcp://: port ]
Rest of your input config
And hf is already connected to indexers so it should start sending data.
Use props on hf to filter data and a should be set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then create a normal output.conf on uf and point it to hf ---- both sites HF ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
x to x and y to y
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for more info check this post out
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
