![]() Simple routing and cloning of data can be performed with the Universal Forwarder, only when you need to route different events to different destinations does a heavy forwarder become necessary. We need to route the data to multiple locations This is the most performant and easiest to manage at large scale. Do this on the indexers, unless the majority of the data is being dropped at source. We may need to filter data, so we should use a Heavy Forwarder, right?Ī Universal Forwarder can filter windows events at source by Event ID.Ī Universal Forwarder cannot filter based on regular expressions. If you were collecting some data from a database on a remote site and had requirements that data goes through an aggregation layer before it left site, or upon arrival at a remote site. Common questions Can I send from a Heavy Forwarder -> Universal Forwarder -> Indexer? The distribution of data across your indexing tier will be lower when an intermediate tier of forwarders is used, ultimately causing a detrimental impact on search performance and user experience. When it comes to searching, this could mean that only a one or two of your indexers contain the results for your search and your search would only leverages the power of a few, rather than the power of many/all. The use of an intermediate tier will cause the data will funnel data to a smaller subset of indexers at any one time, causing hot spots of data for a given time period. The use an intermediate forwarding tier is an artificial bottleneck, increasing the amount of time from event generation to availability for searching and can also be a cause of data imbalance on the indexing tier that will reduce search performance. The use of aggregation layers sitting between collection and indexing tiers should be the exception rather than the rule, as this can have unintended consequences when it comes to your data. The use of intermediate forwarding/aggregation layer
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |