Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting useACK in outputs.conf in a Distributed Environment (Universal Forwarder + Heavy Forwarder + Indexer)

edoardo_vicendo
Contributor
‎04-14-2021 08:18 AM

Hello,

In a distributed environment with Universal Forwarder, Heavy Forwarder and Indexers, like this one:

UF --> HF --> IDX

How do you set useACK=true in outputs.conf ?

Is it needed to be enabled both on Universal Forwarder and Heavy Forwarder?

We currently have it enabled only on the Heavy Forwarder.

Thanks a lot,

Edoardo

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2021 12:21 PM

As I understand it, the instance with useACK=true will buffer packets until they are acknowledged by the indexer.  If useACK=false then the packet is discarded once it is sent.  (These are Splunk packets, not TCP packets.)  Also, useACK adds a kind of flow control to the data stream.  For better end-to-end control, use useACK=true on the UF and HF.  Note that this will force the instance to use more memory.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2021 12:21 PM

As I understand it, the instance with useACK=true will buffer packets until they are acknowledged by the indexer.  If useACK=false then the packet is discarded once it is sent.  (These are Splunk packets, not TCP packets.)  Also, useACK adds a kind of flow control to the data stream.  For better end-to-end control, use useACK=true on the UF and HF.  Note that this will force the instance to use more memory.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

edoardo_vicendo
Contributor
‎05-20-2021 09:20 AM

Thank you, is well described here:

https://docs.splunk.com/Documentation/Forwarder/8.2.0/Forwarder/Protectagainstthelossofin-flightdata...

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...