Splunk Enterprise

Multisite Heavy forwarder connectivity to multisite UF- How do I need to set up the connection?

BT
Path Finder

Hi Team,

 

Could you please clarify my doubt on connectivity between Heavy forwarder and Universal Forwarder. I have 2 site, Heavy forwarder and universal forwarder on both site.  Do I need to connect  the heavy forwarder  on X site to universal forwarder on X site only  or do I need to connect HF on X site to both X and Y site UFs. 

 

There will be connectivity between both sites. Heavy forwarder are not connected to each other. they will be pushing data to indexers which are clustered.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It depends on your circumstances and needs. Using only local HFs can be desired if you have severely limited bandwidth between sites or some data security limitation. Using all HFs on the other hand removes SPOF and allows for better workload distribution.

So there is no sigle optimal solution for all possible cases

0 Karma

SinghK
Builder
  • Well the first question is why are you connecting UF to hf is there a specific requirement as UF can connect directly to indexers or cluster.
0 Karma

BT
Path Finder

Hi,

I want is to configure universal forwarder to send logs/data to heavy  forwarders and do some filtering there, and then forward the logs to indexers from heavy weight forwarders. 

 

 

Tags (1)
0 Karma

SinghK
Builder

Then create a normal output.conf on uf and point it to hf and on hf create input similar to indexers 

[Splunktcp://: port ]

Rest of your input config 

 

And hf is already connected to indexers so it should start sending data.

Use props on hf to filter data and a should be set.

0 Karma

BT
Path Finder

Then create a normal output.conf on uf and point it to hf  ---- both sites HF ?

0 Karma

SinghK
Builder

x to x and y to y 

0 Karma

SinghK
Builder
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...