useack in distributed environment 2 sets of heavy ...

craigwilkinson · ‎06-10-2021

Hi Splunk Support!

We currently have a large Distributed Envirionment where we have 3 sets of Heavy forwarders which have 2 nodes, before hitting an indexer.

Set HFWA --> Has 2 Heavy forwarders

Set HFWB --> has 2 heavy forwarders

Set HFWC --> has 2 heavy forwarders

The data flow goes HFWA ---> HFWB ---> HFWC ---> Indexer.

HFWA outputs.conf has useACK=true.

HFWB & HFWC have useACK=false.

So

The data flow goes HFWA (useACK=true) ---> HFWB (useACK=false) ---> HFWC(useACK=false) ---> Indexer.

What is the expected output? Will HFWB Give an acknowledgement back to HFWA?

Is this an issue in our environment?

Thanks!

-Craig

isoutamo · ‎06-10-2021

Hi
it’s exactly that way. You should use that same settings on all your uf + hf nodes to take it really into use.
Did you know that your placement is not as Splunk’s best practices said. Optimal configuration is avoid HFS between UFs and indexers.

r. Ismo

craigwilkinson · ‎06-10-2021

Hi could you please explain by "its exactly that way"

If 2 sets of our heavy forwarders have useACK... but 1 of of the set of Heavy Forwarders doesnt have useACK before indexing.. what happens? Will the first 2 set of Heavy forwarders continue to hold the data until an ACK is recieved? Which I assume it enver will, because HFWC doesnt have this enabled?

useack in distributed environment 2 sets of heavy forwaders

configuration

troubleshooting

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?