https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32352#M5742 <P>I would think so (to some degree), but I'm not sure. However, I'm not sure why you would do that. Normally Splunk would be instaleld on a computer and forward directly to the indexer. If you used event subscriptions, you would essentially be forwarding from one computer to another (using event subscriptions) and then forwarding again to the indexer (using Splunk client). If you did use subscriptions you would probably also have to be careful in how you set Splunk to tag the events with hostnames, as all the events would appear to be coming from one computer.</P> <P>Hopefully someone else who has actually tried this will chime in.</P> Fri, 09 Dec 2011 16:05:32 GMT rtadams89 2011-12-09T16:05:32Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32351#M5741 <P>Do you know if Splunk supports event subscriptions ? It's a new feature on Windows 7 and Windows 2008 R2. It helps to centralize event logs from different Windows servers on one server.</P> <P><A href="http://technet.microsoft.com/en-us/library/cc749183.aspx">http://technet.microsoft.com/en-us/library/cc749183.aspx</A></P> Fri, 09 Dec 2011 15:34:11 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32351#M5741 ysouchon 2011-12-09T15:34:11Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32352#M5742 <P>I would think so (to some degree), but I'm not sure. However, I'm not sure why you would do that. Normally Splunk would be instaleld on a computer and forward directly to the indexer. If you used event subscriptions, you would essentially be forwarding from one computer to another (using event subscriptions) and then forwarding again to the indexer (using Splunk client). If you did use subscriptions you would probably also have to be careful in how you set Splunk to tag the events with hostnames, as all the events would appear to be coming from one computer.</P> <P>Hopefully someone else who has actually tried this will chime in.</P> Fri, 09 Dec 2011 16:05:32 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32352#M5742 rtadams89 2011-12-09T16:05:32Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32353#M5743 <P>Yes it does, but I'm finding the folks at Splunk either dont' ore won't tell you so they can sell you additional licesnes and/or technical services.</P> <P>Im my opinion you are much better off using the Windows subscription model for many reasons. (But you milage may vary.)</P> Thu, 12 Dec 2013 19:43:15 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32353#M5743 Douggg 2013-12-12T19:43:15Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32354#M5744 <P>I can't see how this would play into the license size you would need. Whether you are sending the event log data from 10 hosts directly to Splunk, or aggregating it at an 11th host before sending it on to Splunk, the total log volume would be the same...</P> Thu, 12 Dec 2013 23:21:24 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32354#M5744 rtadams89 2013-12-12T23:21:24Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32355#M5745 <P>Splunk was doing 'event subscriptions' long before Microsoft was. It is probably where Microsoft got the idea.</P> <P>Why do you want to go backwards?</P> Fri, 13 Dec 2013 00:57:53 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32355#M5745 lukejadamec 2013-12-13T00:57:53Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32356#M5746 <P>Why? Because you don't have to load Splunk's software.</P> Fri, 13 Dec 2013 06:21:36 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32356#M5746 Douggg 2013-12-13T06:21:36Z https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32357#M5747 <P>The Splunk forwarders are free, and Windows subscriptions cannot consolidate network, unix, and any other non-Windows system.</P> Fri, 13 Dec 2013 13:14:14 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-2008-R2-event-subscriptions/m-p/32357#M5747 lukejadamec 2013-12-13T13:14:14Z