Configure a forwarder to handle multiple pipeline sets
You can configure a forwarder to use multiple processing pipelines to increase forwarding throughput for machines that forward a large amount of data and have more than one core available.
The universal forwarder can be configured to handle multiple pipeline sets. A pipeline set is an instance of the event processing section of the data pipeline. A universal forwarder with multiple pipeline sets can process multiple events at once, thus increasing forwarder throughput and getting events to indexers faster. The feature that both indexers and forwarders use to handle multiple streams is called index parallelization.
Other than the fact that the forwarders can send more than one stream of data at a time, forwarders with parallelization enabled look just like other forwarders to indexers. As well, indexers process data streams from forwarders with parallelization enabled in the same way that they process forwarders with one data stream.
While it is possible to increase the number of pipelines by any number, you should not increase it to more than two unless you receive instruction to do so by Splunk Professional Services.
When you enable multiple pipeline sets on a forwarder, any throughput-related settings apply to each pipeline set on the forwarder, rather than to the forwarder itself. For example, if you have two pipeline sets enabled on a forwarder, the maximum network throughput default of 256KBps (2 Mbps) is for each pipeline, for a total of 512KBps (4Mbps) for the forwarder.
For more information about how forwarders use parallelization to process more data, see Forwarders and multiple pipeline sets in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Configure a universal forwarder to use multiple pipeline sets
1. At a command or shell prompt on the universal forwarder, change to the local configuration directory:
2. Create the file
server.conf in this directory.
3. Open the
server.conf file for editing.
4. Add the following stanza to enable parallelization:
[general] parallelIngestionPipelines = 2
5. Save the file and close it.
6. Restart the universal forwarder.
Configure an intermediate forwarder
Configure forwarding to Splunk Enterprise indexer clusters
This documentation applies to the following versions of Splunk® Universal Forwarder: 188.8.131.52, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 9.0.0
Feedback submitted, thanks!