Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multisite Heavy forwarder connectivity to multisite UF- How do I need to set up the connection?

BT
Path Finder
‎04-17-2022 11:21 PM

Hi Team,

 

Could you please clarify my doubt on connectivity between Heavy forwarder and Universal Forwarder. I have 2 site, Heavy forwarder and universal forwarder on both site.  Do I need to connect  the heavy forwarder  on X site to universal forwarder on X site only  or do I need to connect HF on X site to both X and Y site UFs. 

 

There will be connectivity between both sites. Heavy forwarder are not connected to each other. they will be pushing data to indexers which are clustered.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-18-2022 09:38 AM

It depends on your circumstances and needs. Using only local HFs can be desired if you have severely limited bandwidth between sites or some data security limitation. Using all HFs on the other hand removes SPOF and allows for better workload distribution.

So there is no sigle optimal solution for all possible cases

0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:32 PM
  • Well the first question is why are you connecting UF to hf is there a specific requirement as UF can connect directly to indexers or cluster.
0 Karma
Reply

BT
Path Finder
‎04-17-2022 11:35 PM

Hi,

I want is to configure universal forwarder to send logs/data to heavy  forwarders and do some filtering there, and then forward the logs to indexers from heavy weight forwarders. 

 

 

Tags (1)
0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:38 PM

Then create a normal output.conf on uf and point it to hf and on hf create input similar to indexers 

[Splunktcp://: port ]

Rest of your input config 

 

And hf is already connected to indexers so it should start sending data.

Use props on hf to filter data and a should be set.

0 Karma
Reply

BT
Path Finder
‎04-17-2022 11:51 PM

Then create a normal output.conf on uf and point it to hf  ---- both sites HF ?

0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:53 PM

x to x and y to y 

0 Karma
Reply

SinghK
Builder
‎04-17-2022 11:41 PM

for more info check this post out 

https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-from-universal-forwarders-to-hea... 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...