topic Re: Universal Forwarder and parsing events in Getting Data In

Universal Forwarder and parsing events

uayub — Tue, 26 Feb 2013 22:28:41 GMT

We are in the process of replacing Snare for Windows at Client machines (Windows 7) with a splunk Forwarder. Which Splunk Forwarder would you suggest we install at the client and the process/procedure to parse the various events?

Thank you for your help.

Unis

Re: Universal Forwarder and parsing events

Ayn — Tue, 26 Feb 2013 22:57:55 GMT

Event "parsing", or what in Splunk is more commonly called "field extraction", is done at search-time, not index-time. Universal Forwarders simply read raw log data and forward it - that's it.

There aren't very many different kinds of Splunk forwarders to choose from, so I'm really not sure what you're after. A Universal Forwarder is what you likely want to use unless you have good reasons for choosing a full-fledged Splunk instance acting as a forwarder (and know what you're doing).

Re: Universal Forwarder and parsing events

uayub — Wed, 27 Feb 2013 18:12:55 GMT

Thanks Ayn for the reply. Basically we need to filter the events generated at the client and then forward it to the indexer. How could we achieve this ?
Thank you.
Unis

Re: Universal Forwarder and parsing events

Ayn — Wed, 27 Feb 2013 18:27:10 GMT

Filtering can only be done on Splunk instances that perform parsing, which a Universal Forwarder doesn't. So you'd need a full Splunk instance acting as a forwarder (a "heavy forwarder").