Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting useACK in outputs.conf in a Distributed Environment (Universal Forwarder + Heavy Forwarder + Indexer)

edoardo_vicendo
Builder
‎04-14-2021 08:18 AM

Hello,

In a distributed environment with Universal Forwarder, Heavy Forwarder and Indexers, like this one:

UF --> HF --> IDX

How do you set useACK=true in outputs.conf ?

Is it needed to be enabled both on Universal Forwarder and Heavy Forwarder?

We currently have it enabled only on the Heavy Forwarder.

Thanks a lot,

Edoardo

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2021 12:21 PM

As I understand it, the instance with useACK=true will buffer packets until they are acknowledged by the indexer.  If useACK=false then the packet is discarded once it is sent.  (These are Splunk packets, not TCP packets.)  Also, useACK adds a kind of flow control to the data stream.  For better end-to-end control, use useACK=true on the UF and HF.  Note that this will force the instance to use more memory.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-14-2021 12:21 PM

As I understand it, the instance with useACK=true will buffer packets until they are acknowledged by the indexer.  If useACK=false then the packet is discarded once it is sent.  (These are Splunk packets, not TCP packets.)  Also, useACK adds a kind of flow control to the data stream.  For better end-to-end control, use useACK=true on the UF and HF.  Note that this will force the instance to use more memory.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

edoardo_vicendo
Builder
‎05-20-2021 09:20 AM

Thank you, is well described here:

https://docs.splunk.com/Documentation/Forwarder/8.2.0/Forwarder/Protectagainstthelossofin-flightdata...

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...