Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there something different you have to do for a HF-HF-INDEXER than a UF-HF-INDEXER?

tam82
Explorer
‎06-28-2022 10:31 AM

My UF-HF-Indexers is working great however I need to add a HF-HF-Indexer as well

The first HF sends to other HF but is not indexed and the UF attached to HF1 is not showing up at all 

 

is there something different you have to do for a HF-HF-INDEXER than a UF-HF-INDEXER 

Labels (1)
Labels
0 Karma
Reply

danielcj
Communicator
‎06-28-2022 10:39 AM

Hello,

To use a Heavy Forwarder as an intermediate tier, you should listen to the port that the data is being sent from the UF/HF (usually 9997) and configure the correct outputs to the Indexer tier. The first HF should also have the outputs configured to the second HF and the Indexer tier should listen to the inputs port (9997) too.

Also, the data is not indexed on the second HF, only on the Indexing tier the data is indexed.

 

Thanks.

 

0 Karma
Reply

tam82
Explorer
‎06-28-2022 11:06 AM

UF1sends to HF1 (listens on 9997) the forwards to HF2(listens on 9997) (this is where UF1 gets blocked)then sends to INDX1 (listens on 9997) 

 

UF2 goes directly to HF2 - Index1 This works fine 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-29-2022 02:11 AM

Hi @tam82,

as @danielcj said, you can use an HF as a concentrator and this is the usual approach using Splunk Cloud or having restricted networks.

In this case you have to enable ports (usually 9997)  and you can use it both for UFs and HFs.

The only thing that you have to remember adding an HF as data source is that HF cooks data, so if you have some transformation or filter on your intermediate HF, you have to copy them also on the new HF, because usually HFs send already cooked logs.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2022 02:21 AM

Maybe one nice to know fact is, that when you are replacing UF with HF, then you start to generate more traffic  between those hosts, as HF add more metadata to all events. Basically if you don't need to do any data manipulation (like transforms) on intermediate forwarder it's better to use UF instead of HF. Just increase UF's throughput with limits.conf if the normal 256K is not enough.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...