Getting Data In

What are the reasons to use multiple receiving ports for Splunk forwarders?

hulahoop
Splunk Employee
Splunk Employee

When setting up an indexing server to receive data from Splunk forwarders, are there good technical or management reasons for using multiple receiving ports?

Tags (2)
1 Solution

jrodman
Splunk Employee
Splunk Employee

I'm not aware of any reason to use multiple receiving ports for splunk-forwarded data. It's possible that at very large numbers of forwarders (say several thousand and up) there may be scalability issues that are mitigated with multiple receiving ports. Historically we have identified some problems of this shape, but the known issues have been addressed by design.

When sending non-splunk data, such as syslog, into a UDP or TCP port, there are convenient reasons to use multiple inputs, because Splunk can apply default to the data at the input level, such as host, sourcetype, and so on. However, this should not be necessary and is not really possible in the forwarded case; the forwarder has already labelled the data.

If you wanted to have both SSL and non-SSL forwarders connecting, that would require two ports.

View solution in original post

sdwilkerson
Contributor

One reason for multiple receiving ports that I have seen, is in the case where there are forwarder who's admins you might not totally trust to make the right decisions on setting details such as index. For instance, there are many remote sites and each site has their own admins who manage the systems and therefore would install the SplunkForwarder and set it up.

In this case, the site used multiple receiving ports so they could manage certain settings on the central Splunk indexer.

I am not totally positive that this is the best idea, or entirely necessary, but would love to here some feedback either way.

0 Karma

Simeon
Splunk Employee
Splunk Employee

When deploying Splunk in a Forwarding tier, the default port we recommend is 9997. You can set all Splunk Forwarders to send data to a single port on your indexer. When architecting this kind of solution, you should consider all aspects of network capabilities, indexing volume, data distribution, and firewall concerns, just to name a few.

Splunk Forwarder 1 --> Splunk Indexer 1 (receiving on port 9997)
Splunk Forwarder 2 --> Splunk Indexer 1 (receiving on port 9997)
Splunk Forwarder 3 --> Splunk Indexer 1 (receiving on port 9997)
Splunk Forwarder 4 --> Splunk Indexer 1 (receiving on port 9997)
0 Karma

jrodman
Splunk Employee
Splunk Employee

I'm not aware of any reason to use multiple receiving ports for splunk-forwarded data. It's possible that at very large numbers of forwarders (say several thousand and up) there may be scalability issues that are mitigated with multiple receiving ports. Historically we have identified some problems of this shape, but the known issues have been addressed by design.

When sending non-splunk data, such as syslog, into a UDP or TCP port, there are convenient reasons to use multiple inputs, because Splunk can apply default to the data at the input level, such as host, sourcetype, and so on. However, this should not be necessary and is not really possible in the forwarded case; the forwarder has already labelled the data.

If you wanted to have both SSL and non-SSL forwarders connecting, that would require two ports.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...