Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Would it be possible for UFs to forward/send logs/events to other HFs/UFs?

SplunkDash
Motivator
‎05-04-2022 08:50 PM

Hello,

Would it be possible for UFs to forward/send logs/events to other HFs/UFs? Thank you!

 

Labels (2)
0 Karma
Reply

smurf
Communicator
‎05-04-2022 11:36 PM

Hello,

Yes, it is possible to send logs from UFs to HFs, since you can setup HFs to act as receivers.

On HF you need to setup receiving as described here: Enable a receiver - Splunk Documentation

in inputs.conf (HF) - setup listening port, 9997 is default

[splunktcp://9997]
disabled = 0

 

On UF you need to setup forwarding to the HF as described here: Configure forwarders with outputs.conf - Splunk Documentation

in outputs.conf (UF) - setup to send events to HF. You can name the groups whatever you want. You also need to change the server name / IP.

[tcpout]
defaultGroup=my_HFs

[tcpout:my_HFs]
server=mysplunk_heavy:9997

[tcpout-server://mysplunk_heavy:9997]

 

Hope this helps.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-06-2022 12:18 AM

Hi

as@gcusello and @smurf already told this is possible. But which one you should select UF or HF? The best practices is use an UF if possible and HF only when you haven't any other options. The main reason for this is save resources on that gateway/hub/intermediate node as UF is much smaller than HF. Also UF generates less network traffic than HF as it didn't add (so much) meta data than HF after it has processed events.

Basically only case when you should/have to use HF is if you have some modular inputs, which needs e.g. python on HF side (e.g. TA for aws, TA for m365, TA for VMWare etc.)

As @gcusello already said you should have several intermediate nodes and spread traffic from UFs to all of those. When you are using UF as hub then you probably need to add it's throughput from 256KBps to 1024 or higher. Just add this to limits.conf like

[thruput]
maxKBps = 512

or higher, based on your traffic amount.

r. Ismo 

Reply

gcusello
SplunkTrust
SplunkTrust
‎05-04-2022 11:33 PM

Hi @SplunkDash,

yes it's possible.

The choose to use an Universal or an Heavy Forwarder depends on the choice to parse and merge events before sending them to Indexers.

If you want to leave that all the preindexing operations to the Indexers, you can use both UF or HF as log concentrator, if you want move the load of preindexing activities from Indexers, you have to use an HF.

Anyway, I hint to use always (both with UFs or HFs) at least two machines to avoid Single Points of Failures.

Ciao.

Giuseppe

Reply

SplunkDash
Motivator
‎05-05-2022 10:02 AM

Hello,

Thank you for your quick response, truly appreciate it. Is there any way I can check that UF forward installed on any host/server from SPLUNK GUI?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-05-2022 11:30 PM

Hi @SplunkDash,

in Deployment Server's [Settings -- Forwarder Management ] or in the ;Monitoring Console's [Monitor Console -- Forwarders -- Forwarders: Deployment] you have the list of all Forwarders (UFs and HFs) connected to the Deployment Server (or to the All in one Splunk Server).

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...