It scales virtually better than anyone else in the marketspace. Splunk’s ability to scale is what attracts so many people to the product. Splunk Myth 2: Always Place Your Config Files in etc/system/local More specifically, these heavy add-ons typically make us of Splunk python binaries that otherwise don’t exist in a UF package. The Universal Forwarder cannot do either of the aforementioned functions. The most common being when you want to use a heavy add-on like DB Connect, Opsec LEA, etc, and the other being when you need to forward logs to a third party. There are generally only two use cases where we would ever recommend someone to use a Heavy Forwarder over a Universal Forwarder. *Table represents a test file of 367,463,625 being forwarded on a HF compared to a UF* Do yourselves a favor, keep your network admin happy, and avoid using a Heavy Forwarder where you can. In fact, the amount of data forwarded over the network is approximately SIX TIMES higher when forwarding data from a Heavy Forwarder instead of a Universal Forwarder. This is because a Heavy Forwarder is taking part in the indexer’s job and is actually parsing the data, and contrary to popular belief, this does not reduce CPU utilization on the indexers. In many cases, a Heavy Forwarder is actually much more intensive on network IO. But if you need an aggregate layer, make sure you opt for the Universal Forwarder. ![]() An aggregate layer creates a data funnel if not properly done. Unless it is syslog data, it is better to avoid an aggregate layer if possible. More often than not, we will see people who use a Heavy Forwarder as an intermediate forwarder and this is usually contrary to best practices. It is a much smaller package that does not have the web UI that the Heavy Forwarder has. ![]() A Universal Forwarder is along the same lines. If you don’t know the difference, a Heavy Forwarder is an entire Splunk package with indexing turned off. We could honestly do an entire post on this concept alone but the fact of the matter is, very rarely is a Heavy Forwarder (HF) more useful than a Universal Forwarder (UF). ![]() Splunk Myth 1: A Heavy Forwarder is More Effective Than a Universal Forwarder But if all else fails, please don’t hesitate to reach out to us for Splunk professional services help. If you’re doing any of the things below, hopefully, we will be able to give you an idea of how to better approach your own environment. Hopefully, this blog will help you avoid some of the growing pains that I had. And because they do work, they’ve grown into fake news over the years! Many of these things work, but they aren’t exactly the most efficient approach. I was doing many of the things that I’ll reference below. I had been working with Splunk for almost three years before I made the jump and got hit with the realization that I didn’t know nearly as much as I thought I did. Before I moved over to the PS world, I was a Splunk admin who thought he had it all figured out.
0 Comments
Leave a Reply. |