Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Heavy forwarder with httpout to indexer cluster

j01am
Explorer
‎02-19-2024 04:50 AM

Hello everyone,

 

Quick question : I need to forward data from HF to Indexer cluster.

Right now, I'm using S2S tcpout function, with useAck, default loadbalancing and maxQueueSize

I study the possibility to use the httpout instead of tcpout, due to traffic filtering.

 

The documentation seems a bit light about httpout, is it possible to use Indexer loadbalancer, ack, and maxQueueSize function?

Thanks for your help!

 

Jonas

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-12-2024 11:55 PM
Hi
What issue you are trying to solve with this change?
I think that usually it’s better to use S2S between splunk nodes than http version.
r. Ismo
0 Karma
Reply

j01am
Explorer
‎04-13-2024 03:08 AM

Hello @isoutamo 

Thanks a lot for your feedback

I need to study the httpout because Splunk nodes communicate though customer network, with firewalls, so it's easier to open a proxy compatible traffic than a tcp/9997 for example.

So, is there any possibility to use Indexer loadbalancer, ack, and maxQueueSize functions in httpout ?

A saw that httpout is a relative new functionnality, since 8.x, maybe these functionality will be in the roadmap?

 

Thanks

Jonas

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2024 04:40 AM

Disclaimer - I haven't used httpout much so I might be mistaken here.

But.

httpout is not a HEC output (although it needs an HEC input and valid HEC token; it's complicated). It's s2s protocol embedded in http transport. It is indeed a fairly recent invention mostly aimed at situations like yours - where it's easier (politically, not technically) to allow outgoing http traffic (even if it's only pseudo-http) than some unknown protocol.

Having said that I'd expect most of the functionalities normally working with tcpout (like useACK) to work.

I'd test it first in the lab before pushing to prod anyway.

0 Karma
Reply

j01am
Explorer
‎04-14-2024 01:03 PM

Current documentation is very light regarding httpout, hope it will be improved in next versions

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-14-2024 01:58 PM

That's true. Remember that docs pages have feedback form on the bottom. You can use it to... provide feedback. And yes, this feedback (of course if precise and reasonable, not just "I don't like this page" ;-)) is read and the docs pages do get better in time because of that.

0 Karma
Reply

j01am
Explorer
‎04-12-2024 03:33 PM

Anyone have inputs about that?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...