Getting Data In

System requirements for Universal Forwarder

erick_thompson
Explorer

I am in the process of setting up a Universal Forwarder that will be running on EC2. I am looking for information on hardware recommendations for on the forwarder. There is great information on the Splunk servers themselves, but nothing on the forwarders. Is there a place in the documentation that I missed?

If not, if anyone has any rules of thumb for a Universal Forwarder, that would be great.

Thanks!
Erick

Tags (2)
0 Karma

Drainy
Champion

Have a look at;
http://splunk-base.splunk.com/answers/7076/questions-about-splunk-queues
Splunk uses queues for indexing/forwarding and these become blocked when overloaded. To troubleshoot you can have a look at;
http://wiki.splunk.com/Community:TroubleshootingBlockedQueues

Finally, install the splunk SoS app! It can help measure throughput and blocked queues all in a few dashboards which would allow you to performance test / record your network setup.

By a "test index" I just mean not to use the main index when you start, send it all to a test index, delete it and start again when you are happy with your setup.

erick_thompson
Explorer

I should have described my setup a little better, as don't believe that I can use a test index. My setup is a number of servers sending to a single forwarder which forwards to storm. I am doing tests on the servers that will roughly simulate a load base (which would get multiplied by number of users).

From what I understand, the test index requires splunk instances that forward to the UF which gets forwarded to the target instance.

My current plan is to write a test application that sends a large number of messages to the forwarder, but I don't know how to measure if the forwarder is overloaded. Would the fishbucket work for that?

Thanks,
Erick

0 Karma

Drainy
Champion

Welcome!
Have a look at;
http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Deploymentoverview

This has some best practices and recommendations when planning your first deployment.
The UF itself is designed to use as little resource as possible and is rate limited to 256kbps (by default, can be changed) when first installed.
Your best shout is to install and get started and come back with any specific issues. If its a first setup its always a great idea to test against a test index on the indexer, saves having to clear everything and start again if you go wrong.

If you do use a test index you can set the destination index via inputs.conf on the UF;
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

and when you have finished your test the idea is that you can delete the test index on the indexer, set the UF to forward to your production index and reset the UF so it sends everything again.

The UF uses something called a fishbucket to record what files it has forwarded, you can clear this to re-send everything with (in the splunk/bin directory) ./splunk clean all

If you have set a password on the UF this will also reset that, I don't believe it resets the configs but it never hurts to take a backup first. Remember to only use that on the UF (Universal forwarder)

erick_thompson
Explorer

I added another answer, as I didn't have enough space here. I will clean up the answer later.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...