Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we clone the HF to another one?

Vnarunart
Explorer
‎11-07-2024 01:34 AM

I would like to seek advice from experienced professionals. I want to add another heavy forwarder to my environment as a backup in case the primary one fails (on a different network and not necessarily active-active).  * I have splunk cloud and 1 Heavy Forwarder, 1  Deployment server on premise.

1. If I copy a heavy forwarder (VM) from one vCenter to another, change the IP, and generate new credentials from Splunk Cloud, will it work immediately? (I want to preserve my existing configurations.)
2. I have a deployment server. Can I use it to configure two heavy forwarders? If so, what would be the implications? (Would there be data duplication, or is there a way to prioritize data?

Or is there a better way I should do this? Please advise.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2024 02:22 AM

Hi @Vnarunart ,

yes, you can clone the old HF to a new one but, in addition, remember to change also the hostname in $SPLUNK_HOME/etc/system/loca/server.conf and $SPLUNK_HOME/etc/system/loca/inputs.conf.

Anyway, having a Deployment Server, you could create a new Splunk installation and manage both the HFs with the DS deploying the same apps.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Vnarunart
Explorer
‎11-07-2024 07:10 PM

Thank you very much for your comprehensive response. I have a follow-up question. In a scenario where we have two HF, is there a way to determine which HF the data originated from when searching in Splunk Cloud?

Thank you for your advice and time.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2024 11:35 PM

Hi @Vnarunart ,

this is a request that I posted in Splunk Ideas (https://ideas.splunk.com/ideas/EID-I-1731) and it's in "Under consideration" state, if you think that's useful, please vote it!

Anyway, you could add to your Heavy forwarders a custom field with the name of the HF: https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Configureindex-timefieldextraction

in props.conf

[default]
TRANSFORMS-hf_name = my_hf_1

in props.conf:

[my_hf_1]
REGEX = .
FORMAT = my_hf_1::my_hf_1
WRITE_META = [true]
DEST_KEY = my_hf_1
DEFAULT_VALUE = my_hf_1

and then in fields.conf

[my_hf_1]
INDEXED=true

one for each HF.

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

Vnarunart
Explorer
‎11-08-2024 12:46 AM

I appreciate your advice.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 12:47 AM

Hi @Vnarunart ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2024 02:22 AM

Hi @Vnarunart ,

yes, you can clone the old HF to a new one but, in addition, remember to change also the hostname in $SPLUNK_HOME/etc/system/loca/server.conf and $SPLUNK_HOME/etc/system/loca/inputs.conf.

Anyway, having a Deployment Server, you could create a new Splunk installation and manage both the HFs with the DS deploying the same apps.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...