- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: expand heavy forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My logs volume increased and notice time out on my heavy forwarder, which is best way to add capacity increase the size of the server (more powerful server) or add multiple server. on the other word escaling horizontally vs vertically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ummm...
Have a look to your HF queues using DMC, perhaps HF is unable to handle all this incomming data from your 3k UFs.
Have a look to limits.conf file also.
Let me know if you find the problem there finally.
J.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ummm...
Have a look to your HF queues using DMC, perhaps HF is unable to handle all this incomming data from your 3k UFs.
Have a look to limits.conf file also.
Let me know if you find the problem there finally.
J.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. I will and let you know but the bottom line is HF can't expand horizontally as Indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, if necessary, you can have 2 HFs and you can send them balanced data from your UFs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
do you have CPU, memory, filesystem free space stats for this HF?
Do you use it only to pass data from your UFs to your IXs or you do more tasks there (i.e. Db connect, ...)?
If you provide all that info (or even more details) we can suggest you better solutions 😉
Regards,
J.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks J. the current server not indicate any cpu or memory issue, the metrics for that is low only network input out put is high as high traffic coming to the HF, I am using the HF as HEC also. most of the time out is on the logs pushed over HEC.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using heavy forward for filtering data or as center server to pass data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mainly to pass data not filtering.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also is there any error in _internal logs for heavy forwarder? Is there any firewall in between?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No firewall, I don't see any error. but on UF I see traffic is on waiting state. BTW I have close to 3k UF forward the logs to The HF. and HEC.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
