Installation

How to configure heavy forwarders as intermediate forwarders?

shivanandbm
New Member

I would like to have six intermediate forwarders before indexers.Also i am interested to configure prasing on intermediate forwarders only.can some help me how to configuration.

I have done the basic configuration where i am facing parsing quees and tail reader error on IF and traffic is getting blocked.

can you please help me solve this problem

Labels (2)
0 Karma

gcusello
Esteemed Legend

Hi @shivanandbm,

as @richgalloway said, the number of Heavy forwarder is relevant only for performaces, how many final Forwarders have to send teir logs to the intermediate Forwarders?

Usually are used two Intermediate Forwarders (and they could be heavy or also Universal Forwarders) and if there's a queue issue on one of them it's better to give more resources than add a new one, but anyway, using six Intermediate Forwarders should be mandatory only having hundreds of thousands of other Forwarders!

The only situation to use six Intermediate Forwarders is that you have three segregated networks and you  have to put two of them in each of these networks.

Anyway, about configuration, you have to create an App, called e.g. TA_Forwarders, where there are only three files:

  • app.conf, contaning inormation about the app,
  • deploymentclient.conf containing the address of the Deployment Server,
  • outputs.conf, addressing the Intermediate heavy Forwarders,

and then deploy this app to all the final Forwarders that have to send their logs to the Indexers passing through the Intermediate HF.

Then you have to create another app, called e.g. TA_HF, containing the same files, but addressing the Indexers and then deploy to the Heavy Forwarders.

The correct question is: how to manage all these Forwarders (final and Intermediate)?

You have two solutions:

  • use one Deployment Server reachable by all the Forwarders (Final and Intermediate), it's the easiest solution but requires to open a connection between all the Forwarders (Intermediate and final) and the Deployment Server,
  • use a primary Deployment Server to manage the Heavy Forwarders and all the other Forwarders directly connected to Indexers and use one of the Heavy Forwarders od each segregated network as a secondary Deployment Server that manages the Forwarders of its network.

The second solution is just a little more complicated but prefereable.

I hope to have answered to your question and not enlarged you confusion!

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why do you want 6 intermediate forwarders?  IFs can impede performance and add complexity so they should be used only when necessary.

Parsing in a heavy forwarder is automatic so no configuration is needed other than installing TAs that know how to process the sourcetypes.  Once data is parsed by the IF, it is not parsed again.

Tell us more about the problem you are having.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...