<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Help with choice of forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471257#M81012</link>
    <description>&lt;P&gt;3 questions:&lt;/P&gt;

&lt;P&gt;Can I use directly syslog for everything enabling it to each machine, without getting use of universal forwarder or heavy? &lt;BR /&gt;
What is the advantage to use directly it rather than install UF for instance?&lt;/P&gt;

&lt;P&gt;What is the difference between the heavy forwarder and an indexer for example?&lt;/P&gt;

&lt;P&gt;Then must I use the add-on with a universal forwarder or I can install it without to use it?&lt;BR /&gt;
Would everything work the same? what do they used for is it like a dsm?&lt;/P&gt;</description>
    <pubDate>Tue, 29 Oct 2019 16:20:05 GMT</pubDate>
    <dc:creator>dani9</dc:creator>
    <dc:date>2019-10-29T16:20:05Z</dc:date>
    <item>
      <title>Help with choice of forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471257#M81012</link>
      <description>&lt;P&gt;3 questions:&lt;/P&gt;

&lt;P&gt;Can I use directly syslog for everything enabling it to each machine, without getting use of universal forwarder or heavy? &lt;BR /&gt;
What is the advantage to use directly it rather than install UF for instance?&lt;/P&gt;

&lt;P&gt;What is the difference between the heavy forwarder and an indexer for example?&lt;/P&gt;

&lt;P&gt;Then must I use the add-on with a universal forwarder or I can install it without to use it?&lt;BR /&gt;
Would everything work the same? what do they used for is it like a dsm?&lt;/P&gt;</description>
      <pubDate>Tue, 29 Oct 2019 16:20:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471257#M81012</guid>
      <dc:creator>dani9</dc:creator>
      <dc:date>2019-10-29T16:20:05Z</dc:date>
    </item>
    <item>
      <title>Re: Help with choice of forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471258#M81013</link>
      <description>&lt;P&gt;Sending syslog directly to Splunk risks losing data if the indexer restarts.  Using a forwarder helps prevent data loss and also improves search performance by evenly distributing data across all indexers.&lt;/P&gt;

&lt;P&gt;The difference between a heavy forwarder and an indexer is the HF does not store (index) data.  The HF forwards the data to indexers for storage.&lt;/P&gt;

&lt;P&gt;For a good description of the reasons to not send syslog directly to Splunk, see &lt;A href="http://www.georgestarcher.com/splunk-success-with-syslog/"&gt;http://www.georgestarcher.com/splunk-success-with-syslog/&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Wed, 30 Oct 2019 00:51:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471258#M81013</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2019-10-30T00:51:44Z</dc:date>
    </item>
    <item>
      <title>Re: Help with choice of forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471259#M81014</link>
      <description>&lt;P&gt;Hi dani9,&lt;BR /&gt;
as @richgalloway said, using an Heavy Forwarder gives you more flexibility.&lt;BR /&gt;
In addition, I suggest (if you can) to use two Heavy Forwarders with a Load Balancer to ingest syslogs: this permits to avoid Single Points of Failure and be sure to have all the syslogs without losing anyrhing.&lt;BR /&gt;
As Load balancer you can also use a DNS configuration.&lt;/P&gt;

&lt;P&gt;Ciao.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 30 Oct 2019 07:43:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471259#M81014</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2019-10-30T07:43:30Z</dc:date>
    </item>
    <item>
      <title>Re: Help with choice of forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471260#M81015</link>
      <description>&lt;P&gt;thank for those.&lt;/P&gt;

&lt;P&gt;So do you also light dreams about Add-on that is must I install it for each source?&lt;BR /&gt;
what's those for? &lt;/P&gt;</description>
      <pubDate>Wed, 30 Oct 2019 08:27:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Help-with-choice-of-forwarder/m-p/471260#M81015</guid>
      <dc:creator>dani9</dc:creator>
      <dc:date>2019-10-30T08:27:39Z</dc:date>
    </item>
  </channel>
</rss>

