Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Heavy forwarder with httpout to indexer cluster

j01am
Explorer
‎02-19-2024 04:50 AM

Hello everyone,

 

Quick question : I need to forward data from HF to Indexer cluster.

Right now, I'm using S2S tcpout function, with useAck, default loadbalancing and maxQueueSize

I study the possibility to use the httpout instead of tcpout, due to traffic filtering.

 

The documentation seems a bit light about httpout, is it possible to use Indexer loadbalancer, ack, and maxQueueSize function?

Thanks for your help!

 

Jonas

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-12-2024 11:55 PM
Hi
What issue you are trying to solve with this change?
I think that usually it’s better to use S2S between splunk nodes than http version.
r. Ismo
0 Karma
Reply

j01am
Explorer
‎04-13-2024 03:08 AM

Hello @isoutamo 

Thanks a lot for your feedback

I need to study the httpout because Splunk nodes communicate though customer network, with firewalls, so it's easier to open a proxy compatible traffic than a tcp/9997 for example.

So, is there any possibility to use Indexer loadbalancer, ack, and maxQueueSize functions in httpout ?

A saw that httpout is a relative new functionnality, since 8.x, maybe these functionality will be in the roadmap?

 

Thanks

Jonas

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2024 04:40 AM

Disclaimer - I haven't used httpout much so I might be mistaken here.

But.

httpout is not a HEC output (although it needs an HEC input and valid HEC token; it's complicated). It's s2s protocol embedded in http transport. It is indeed a fairly recent invention mostly aimed at situations like yours - where it's easier (politically, not technically) to allow outgoing http traffic (even if it's only pseudo-http) than some unknown protocol.

Having said that I'd expect most of the functionalities normally working with tcpout (like useACK) to work.

I'd test it first in the lab before pushing to prod anyway.

0 Karma
Reply

j01am
Explorer
‎04-14-2024 01:03 PM

Current documentation is very light regarding httpout, hope it will be improved in next versions

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-14-2024 01:58 PM

That's true. Remember that docs pages have feedback form on the bottom. You can use it to... provide feedback. And yes, this feedback (of course if precise and reasonable, not just "I don't like this page" ;-)) is read and the docs pages do get better in time because of that.

0 Karma
Reply

j01am
Explorer
‎04-12-2024 03:33 PM

Anyone have inputs about that?

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...