https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515678#M87315 <P>Hi,</P><P>&nbsp;I have a remote file (on&nbsp; server 2) which can be accessed directly from my Indexer (on server 1). What is the best and recommended way to ingest data from that file into indexer</P><P>&nbsp;</P><P>1) Read directly from indexer's inputs.conf (monitor://remote-path to the file) - Everything on server 1</P><P>2) Install universal forwarder on the target machine and forward data (complete log file. no props and transforms) - indexer on server1 and forwarder on server 2</P><P>&nbsp;</P><P>Whats the main difference between these 2 options? pros and cons?</P><P>&nbsp;</P><P>Thanks</P> Mon, 24 Aug 2020 03:31:15 GMT nareshinsvu 2020-08-24T03:31:15Z https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515678#M87315 <P>Hi,</P><P>&nbsp;I have a remote file (on&nbsp; server 2) which can be accessed directly from my Indexer (on server 1). What is the best and recommended way to ingest data from that file into indexer</P><P>&nbsp;</P><P>1) Read directly from indexer's inputs.conf (monitor://remote-path to the file) - Everything on server 1</P><P>2) Install universal forwarder on the target machine and forward data (complete log file. no props and transforms) - indexer on server1 and forwarder on server 2</P><P>&nbsp;</P><P>Whats the main difference between these 2 options? pros and cons?</P><P>&nbsp;</P><P>Thanks</P> Mon, 24 Aug 2020 03:31:15 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515678#M87315 nareshinsvu 2020-08-24T03:31:15Z https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515697#M87317 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156769">@nareshinsvu</a>,</P><P>you have a little confusion:</P><P>props.conf and transforms.conf are on Indexer in both cases because they work in the parsing, merging and typing phases.</P><P>Instead inputs.conf depends on the choose you're working.</P><P>There're only one exception to this rule: in the input of csv files, props.conf must be also on Forwarder.</P><P>Anyway, answering to your question: if possible using a Universal Forwarder on the target server is the best approach because you optimize the input phase and the network bandwidth.</P><P>In addition (if you like) you can encrypt transmission.</P><P>The other solution is to use if you cannot install the UF on the target server: e.g. it's an old operative system or there aren't resources or simply you don't want to install nothing on it.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 24 Aug 2020 06:23:04 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515697#M87317 gcusello 2020-08-24T06:23:04Z https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515706#M87319 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156769">@nareshinsvu</a>,</P><P>Good!</P><P>ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 24 Aug 2020 07:36:19 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-vs-universal-forwarder/m-p/515706#M87319 gcusello 2020-08-24T07:36:19Z