Skip to main content
Skip table of contents

KB 166 - Should I use a Splunk Heavy Forwarder in my PowerConnect Architecture?

KB 166 (Splunk): Should I use a Splunk Heavy Forwarder in my PowerConnect Architecture?

Category: Information

Priority: Normal

Platform: Splunk

Version: 1 from 09.12.2022


The PowerConnect application can connect directly to both Splunk Enterprise and Splunk Cloud environments from the SAP system if the appropriate networks ports are open. This is the preferred method for integrating the Splunk and SAP systems because it requires the least number of connections to send the data (reducing potential failure points) and reduces customer infrastructure costs.

However, some customers may opt to use a Splunk heavy forwarder maintained in the same network as their SAP system, and then forward the data from the heavy forwarder to either their Splunk Enterprise or Splunk Cloud environment. Below is a list of considerations that can help customers determine whether a heavy forwarder should be included in their PowerConnect architecture:

  • IT Security team expresses concerns with allowing the SAP system to communicate directly outside of the internal firewall

  • The customer already uses a heavy forwarder in their existing environment architecture

  • Required network ports cannot be opened by the network team. For Splunk Enterprise, port 8088 needs to be open, and for Splunk Cloud, port 443 needs to be open for outbound web traffic (i.e., data flowing from SAP to Splunk).

If you decide that a heavy forwarder makes sense for your architecture based on the points above, you will send the data from the SAP system to the heavy forwarder using port 8088. After which, the heavy forwarder will send the data to Splunk Cloud or Splunk Enterprise via port 9997.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.