Splunk Enterprise

Multisite Heavy forwarder connectivity to multisite UF- How do I need to set up the connection?

BT
Path Finder

Hi Team,

 

Could you please clarify my doubt on connectivity between Heavy forwarder and Universal Forwarder. I have 2 site, Heavy forwarder and universal forwarder on both site.  Do I need to connect  the heavy forwarder  on X site to universal forwarder on X site only  or do I need to connect HF on X site to both X and Y site UFs. 

 

There will be connectivity between both sites. Heavy forwarder are not connected to each other. they will be pushing data to indexers which are clustered.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It depends on your circumstances and needs. Using only local HFs can be desired if you have severely limited bandwidth between sites or some data security limitation. Using all HFs on the other hand removes SPOF and allows for better workload distribution.

So there is no sigle optimal solution for all possible cases

0 Karma

SinghK
Builder
  • Well the first question is why are you connecting UF to hf is there a specific requirement as UF can connect directly to indexers or cluster.
0 Karma

BT
Path Finder

Hi,

I want is to configure universal forwarder to send logs/data to heavy  forwarders and do some filtering there, and then forward the logs to indexers from heavy weight forwarders. 

 

 

Tags (1)
0 Karma

SinghK
Builder

Then create a normal output.conf on uf and point it to hf and on hf create input similar to indexers 

[Splunktcp://: port ]

Rest of your input config 

 

And hf is already connected to indexers so it should start sending data.

Use props on hf to filter data and a should be set.

0 Karma

BT
Path Finder

Then create a normal output.conf on uf and point it to hf  ---- both sites HF ?

0 Karma

SinghK
Builder

x to x and y to y 

0 Karma

SinghK
Builder
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...