https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385281#M169563 <P>Theres very specific use cases for using a HF. You should typically let the indexers do the parsing </P> Tue, 08 May 2018 15:17:55 GMT skoelpin 2018-05-08T15:17:55Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385276#M169558 <P>I have <BR /> I want to send windows logs through heavy forwarder to indexer.</P> <P>on windows server, I install universal forwarder and put Heavy forwarder ip:9997. <BR /> already configure listening on heavy forwarder.</P> <P>now how can I see event in indexer.</P> Tue, 08 May 2018 14:02:17 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385276#M169558 rashid47010 2018-05-08T14:02:17Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385277#M169559 <P>why would you want to use a Heavy Forwarder?<BR /> try and avoid using HF unless you must have it<BR /> take a look at this link to troubleshoot:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.1.0/Troubleshooting/Cantfinddata">http://docs.splunk.com/Documentation/Splunk/7.1.0/Troubleshooting/Cantfinddata</A></P> Tue, 08 May 2018 14:13:25 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385277#M169559 adonio 2018-05-08T14:13:25Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385278#M169560 <P>hi <BR /> this is just a start of completed architecture. <BR /> However I achieve this. <BR /> Now where can I filter the events<BR /> on HF OR UF ?</P> <P>Please advise.</P> Tue, 08 May 2018 14:31:11 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385278#M169560 rashid47010 2018-05-08T14:31:11Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385279#M169561 <P>Did you setup data inputs to collect the data on UF?</P> Tue, 08 May 2018 14:38:25 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385279#M169561 somesoni2 2018-05-08T14:38:25Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385280#M169562 <P>Specifically for windows events, you can filter those using whitelist or blacklist settings in inputs.conf on the UF.</P> Tue, 08 May 2018 14:53:47 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385280#M169562 FrankVl 2018-05-08T14:53:47Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385281#M169563 <P>Theres very specific use cases for using a HF. You should typically let the indexers do the parsing </P> Tue, 08 May 2018 15:17:55 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385281#M169563 skoelpin 2018-05-08T15:17:55Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385282#M169564 <P>Hi Frank,</P> <P>Please share some example on this.</P> Wed, 09 May 2018 05:29:58 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385282#M169564 rashid47010 2018-05-09T05:29:58Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385283#M169565 <P>Just have a look at the inputs.conf spec and accompanying examples. Or check out my accepted answer here: <A href="https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html">https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html</A></P> Wed, 09 May 2018 07:03:05 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385283#M169565 FrankVl 2018-05-09T07:03:05Z https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385284#M169566 <P>Hi,</P> <P>Here is a good reference for your deployment architecture.<BR /> <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F" target="_blank">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A></P> Tue, 29 Sep 2020 19:29:46 GMT https://community.splunk.com/t5/Splunk-Search/Deployment-architecture/m-p/385284#M169566 jaracan 2020-09-29T19:29:46Z