Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multisite Heavy forwarder connectivity to multisite UF- How do I need to set up the connection?

BT
Path Finder
‎04-17-2022 11:21 PM

Hi Team,

 

Could you please clarify my doubt on connectivity between Heavy forwarder and Universal Forwarder. I have 2 site, Heavy forwarder and universal forwarder on both site.  Do I need to connect  the heavy forwarder  on X site to universal forwarder on X site only  or do I need to connect HF on X site to both X and Y site UFs. 

 

There will be connectivity between both sites. Heavy forwarder are not connected to each other. they will be pushing data to indexers which are clustered.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-18-2022 09:38 AM

It depends on your circumstances and needs. Using only local HFs can be desired if you have severely limited bandwidth between sites or some data security limitation. Using all HFs on the other hand removes SPOF and allows for better workload distribution.

So there is no sigle optimal solution for all possible cases

0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:32 PM
  • Well the first question is why are you connecting UF to hf is there a specific requirement as UF can connect directly to indexers or cluster.
0 Karma
Reply

BT
Path Finder
‎04-17-2022 11:35 PM

Hi,

I want is to configure universal forwarder to send logs/data to heavy  forwarders and do some filtering there, and then forward the logs to indexers from heavy weight forwarders. 

 

 

Tags (1)
0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:38 PM

Then create a normal output.conf on uf and point it to hf and on hf create input similar to indexers 

[Splunktcp://: port ]

Rest of your input config 

 

And hf is already connected to indexers so it should start sending data.

Use props on hf to filter data and a should be set.

0 Karma
Reply

BT
Path Finder
‎04-17-2022 11:51 PM

Then create a normal output.conf on uf and point it to hf  ---- both sites HF ?

0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:53 PM

x to x and y to y 

0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:41 PM

for more info check this post out 

https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-from-universal-forwarders-to-hea... 

Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...