KB 166 (Splunk): Should I use a Splunk Heavy Forwarder in my PowerConnect Architecture?
Version: 1 from 09.12.2022
The PowerConnect application can connect directly to both Splunk Enterprise and Splunk Cloud environments from the SAP system if the appropriate networks ports are open. This is the preferred method for integrating the Splunk and SAP systems because it requires the least number of connections to send the data (reducing potential failure points) and reduces customer infrastructure costs.
However, some customers may opt to use a Splunk heavy forwarder maintained in the same network as their SAP system, and then forward the data from the heavy forwarder to either their Splunk Enterprise or Splunk Cloud environment. Below is a list of considerations that can help customers determine whether a heavy forwarder should be included in their PowerConnect architecture:
IT Security team expresses concerns with allowing the SAP system to communicate directly outside of the internal firewall
The customer already uses a heavy forwarder in their existing environment architecture
Required network ports cannot be opened by the network team. For Splunk Enterprise, port 8088 needs to be open, and for Splunk Cloud, port 443 needs to be open for outbound web traffic (i.e., data flowing from SAP to Splunk).
If you decide that a heavy forwarder makes sense for your architecture based on the points above, you will send the data from the SAP system to the heavy forwarder using port 8088. After which, the heavy forwarder will send the data to Splunk Cloud or Splunk Enterprise via port 9997.