Hi,
I am trying to monitor data from about 200 servers diff sources. What is the best way to do this easily and efficiently. I am on a time crunch. Any help will be fantastic. I understand that putting a universal forward the sever will pull data to the indexer. But I cant do that for over 200 servers. HELP.
Thanks
The best way is the one you rejected - put a UF on each source system. Many people have done it with far more than 200 servers so don't let that stop you. Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier. Be sure to have a Deployment Server configured to handle configuration of the UFs.
Am happy to report everything is working fine. Thanks for your immense help.
Thanks for the quick response. The of these management tools are beginner friendly in your opinion?
I'd start with Ansible.
The best way is the one you rejected - put a UF on each source system. Many people have done it with far more than 200 servers so don't let that stop you. Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier. Be sure to have a Deployment Server configured to handle configuration of the UFs.
what stanza should be on the inputs.conf on the server?
some examples are saying there should be a host. Should there?
Host
monitor:
index =
sourcetype =
Put in inputs.conf the things you want the UF to send to Splunk. Perhaps the most common is [monitor://foo] to read text files as they get new text. Also common are [WinEventLog://...] on Windows servers and [perfmon://...] to collect performance metrics.
Start with a few enabled stanzas as a POC and to ensure you don't overwhelm the environment (Splunk or the network). You can add or enable other inputs via the Deployment Server later.