Forward(er) Thinking | Splunk

By now, most of you in the Splunk community have upgraded or deployed our latest version of 4.2 – and the feedback from customers has been great. One of the many features that has enhanced this version of Splunk is a little-known feature which supports Splunk Forwarders. Called “Indexer Acknowledgement”, this feature has a very powerful set of capabilities that many have been asking to have included.

The main idea behind Indexer Acknowledgement is the protection of “in-flight” data between Splunk Forwarders and the index servers. If enabled, a Splunk indexer will confirm transmissions from a designated Splunk Forwarder. The Forwarder will perform retries as configured until a valid transmission is received and acknowledged. If the Forwarder is part of a pool, it can retry delivery to another indexer, when necessary. This significantly improves Splunk’s ability to monitor and manage a deployment of Splunk Forwarders in an enterprise. In addition, the new Deployment Monitor is an enhanced UI dedicated to managing enterprise deployments, including Forwarders.

The recent release of the Universal Forwarder, capabilities such as Indexer Acknowledgement, and the Deployment Monitor are all steps toward a more pervasive reach of Splunk capabilities into large enterprise deployments. As we continue to innovate our technology, Forwarders will take on an even more significant role in an evolving Splunk Data Fabric – integrating Splunk and other vendor solutions. Our engineering team’s commitment to quality and improvements like this help our customers obtain even more value from their Splunk deployments.

If you’d like to learn more about Splunk Forwarders, you can attend my session “Splunk Forwarding and Receiving” at the 2011 .conf – Splunk User Conference, this August 15-17.

Jeffery Blake

Posted by