Docs: Heavy Forwarder using Standalone CR - add docs/HeavyForwarder-Standalone.md

[vivekr-splunk]

Description

Add a new guide docs/HeavyForwarder-Standalone.md that walks users through creating a Splunk Heavy Forwarder on Kubernetes using the Splunk Operator Standalone custom resource. The guide covers:

• ConfigMap driven configuration with defaultsUrl
• Reliable Splunk to Splunk forwarding with outputs.conf (indexAndForward=false, useACK=true, compressed=true, autoLBFrequency=30)
• Operator managed HEC enablement via the namespace secret
• Deployment steps, validation, troubleshooting, cleanup, and references

Key Changes

• Added docs/HeavyForwarder-Standalone.md

No code or charts changed.

Testing and Verification

• Rendered the Markdown locally to verify headings, anchors, and code blocks

• Ran Markdown linting to check formatting

• Dry-ran the provided kubectl commands against a test cluster to validate:

  • Standalone CR becomes Ready
  • Operator secret contains a HEC token
  • inputs.conf shows HEC enabled
  • outputs.conf shows heavy forwarder settings
  • Test HEC event posts successfully and is searchable at the indexers

No automated tests are added since this is documentation only.

Related Issues

• Jira: CSPL-4133

PR Checklist

• Code changes adhere to the project's coding standards.
• Relevant unit and integration tests are included.
• Documentation has been updated accordingly.
• All tests pass locally.
• The PR description follows the project's guidelines.

[Copilot]

Pull Request Overview

This PR adds comprehensive documentation for deploying a Splunk Heavy Forwarder on Kubernetes using the Splunk Operator's Standalone Custom Resource. The guide demonstrates ConfigMap-based configuration management, operator-managed HEC enablement, and reliable Splunk-to-Splunk forwarding.

Key Changes:

• Added complete heavy forwarder deployment guide covering architecture, configuration, deployment steps, validation procedures, and troubleshooting
• Documented operator-managed HEC token generation and automatic inputs.conf configuration
• Provided detailed testing procedures with expected outputs for each validation step

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The line number reference '(Lines 9-22)' is misleading as it refers to lines in the original YAML file structure, not the documentation itself. Consider removing the line number reference or clarifying what it refers to (e.g., 'Lines 9-22 in the ConfigMap YAML structure shown below').

Suggested change

	##### 1. outputs.conf - Forwarding Configuration (Lines 9-22)
	##### 1. outputs.conf - Forwarding Configuration (Lines 9-22 in the ConfigMap YAML structure shown below)

[Copilot]

Similar to the previous section, the line number reference '(Lines 23-30)' is unclear. These line numbers don't correspond to lines in this document and may confuse readers.

Suggested change

	##### 2. props.conf - Data Parsing Rules (Lines 23-30)
	##### 2. props.conf - Data Parsing Rules

[Copilot]

The line number reference '(Lines 31-42)' should be clarified or removed to avoid confusion, as these numbers don't map to the current document structure.

Suggested change

	##### 3. transforms.conf - Data Transformation (Lines 31-42)
	##### 3. transforms.conf - Data Transformation

[Copilot]

The line number reference '(Lines 44-55)' should be removed or clarified, as it doesn't correspond to lines in this documentation.

Suggested change

	### Part 2: Standalone Custom Resource (Lines 44-55)
	### Part 2: Standalone Custom Resource

[coveralls]

Pull Request Test Coverage Report for Build 18706328521

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 86.552%

---

Totals
Change from base Build 18653942794:	0.0%
Covered Lines:	10710
Relevant Lines:	12374

---

💛 - Coveralls

[kasiakoziol]

I think it's optional to run these in the following namespaces since we support both single-namespace and multiple-namespace deployments, so it doesn't have to be a part of the prerequisites. Same with the service name.

[kasiakoziol]

Is it idx_svc as above or to_idx_svc as here?

[kasiakoziol]

It returns 404

[rlieberman-splunk]

Maybe it should be https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/10.0/introduction-to-forwarding/about-forwarding-and-receiving?

[kasiakoziol]

It returns 404

[kasiakoziol]

It returns 404

[kasiakoziol]

There are finalizers, so it should happen automatically

[rlieberman-splunk]

Is there a reason that this has double quotes and dcpout on line 117 does not? It looks like they are at the same indentation, so it might make sense to make them consistent.