https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520264#M3482 <P>As I understood at this moment I can use for it universal forwarder too?</P> Fri, 18 Sep 2020 08:06:07 GMT tmardan 2020-09-18T08:06:07Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520190#M3476 <P>Hello!</P><P>How can I add Office 365 logs to my Splunk if I have 1 search head and 2 indexers and using distributed search?</P><P>Should I install all add-ons on 1 indexer and make all configurations on it and all add-ons and app on search head?</P> Thu, 17 Sep 2020 18:05:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520190#M3476 tmardan 2020-09-17T18:05:24Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520196#M3477 <P>I recommend HF.</P><P>Indexers are generally overloaded with requests coming from search head.</P><P>You can Install on Indexer if they are not overloaded.</P> Thu, 17 Sep 2020 19:11:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520196#M3477 thambisetty 2020-09-17T19:11:35Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520197#M3478 <P>Thank you for answer!</P><P>You mean deploy heavy forwarder on another machine and configure it to receive logs from Office365 and then send them to my indexers?</P> Thu, 17 Sep 2020 19:14:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520197#M3478 tmardan 2020-09-17T19:14:13Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520262#M3481 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226194">@tmardan</a>&nbsp;</P><P>exactly.&nbsp; To separate workloads to different worker machines.&nbsp;</P> Fri, 18 Sep 2020 08:03:39 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520262#M3481 thambisetty 2020-09-18T08:03:39Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520264#M3482 <P>As I understood at this moment I can use for it universal forwarder too?</P> Fri, 18 Sep 2020 08:06:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520264#M3482 tmardan 2020-09-18T08:06:07Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520322#M3485 <P>Start by reading the docs for the add-ons and apps you plan to install.&nbsp; They should say where they want to be installed.</P><P>In general, inputs should not be defined on indexers in a distributed environment.&nbsp; Doing so is likely to cause duplicated data.&nbsp; Put them on a heavy forwarder, instead.&nbsp; See&nbsp;<A href="https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall" target="_blank">https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall</A></P> Fri, 18 Sep 2020 12:49:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520322#M3485 richgalloway 2020-09-18T12:49:16Z https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520572#M3496 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226194">@tmardan</a>&nbsp;</P><P>you can't use UF as it doesn't have python included in package.</P> Mon, 21 Sep 2020 09:02:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Office-365-logs/m-p/520572#M3496 thambisetty 2020-09-21T09:02:11Z