Advanced Deployments - Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

Databases Reference

In-Depth Information

With a full installation of Splunk, the process can be configured as one of two

kinds of forwarder:

• A light forwarder is configured to not parse events but instead to forward

the raw stream of data to indexers. This installation has the advantages

that it uses very few resources on the machine running the forwarder

(unless the number of files being scanned is very large) and that the

configuration is simple. It has the disadvantage that the indexers will

do more work. If this is what you need, it is recommended that you

use the Splunk Universal Forwarder.

• A heavy forwarder is configured to parse events, forwarding these parsed or

"cooked" events to the indexers. This has the advantage that the indexer does

less work but the disadvantage that more configurations need to be pushed

to the forwarders. This configuration also uses approximately double the

CPU and memory required for a light forwarder configuration.

For most customers, the Splunk Universal Forwarder is the right answer.

The most important configurations to a forwarder installation are:

• inputs.conf : This defines what files to read, network ports to listen to,

or scripts to run.

• outputs.conf : This defines which indexer(s) should receive the data.

• props.conf : As discussed in Chapter 10 , Configuring Splunk , very little of

this configuration is relevant to the input stage, but much of it is relevant

to the parse stage. The simplest way to deal with this complexity is to

send props.conf everywhere so that whatever part of the configuration is

needed is available. We will discuss this further in the Using apps to organize

configuration section in this chapter.

• default-mode.conf : This configuration is used to disable processing

modules. Most modules are disabled in the case of a light forwarder.

• limits.conf : The main setting here is maxKBps , which controls how much

bandwidth each forwarder will use. The default setting for a light forwarder

is very low to prevent flooding the network or overtaxing the forwarding

machine. This value can usually be increased safely. It is often increased to

the limits of the networking hardware.

We will discuss deploying the forwarder under the Deploying the Splunk binary

section in this chapter.

Search WWH ::

Custom Search

Home