All Apps and Add-ons

How to onboard data from multiple servers?

woodlandrelic
Path Finder

Hi,

I am trying to monitor data from about 200 servers diff sources. What is the best way to do this easily and efficiently. I am on a time crunch. Any help will be fantastic. I understand that putting a universal forward the sever will pull data to the indexer. But I cant do that for over 200 servers. HELP.

Thanks

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The best way is the one you rejected - put a UF on each source system.  Many people have done it with far more than 200 servers so don't let that stop you.  Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier.  Be sure to have a Deployment Server configured to handle configuration of the UFs.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodlandrelic
Path Finder

Am happy to report everything is working fine. Thanks for your immense help.

 

woodlandrelic
Path Finder

Hi @richgalloway 

Thanks for the quick response. The of these management tools are beginner friendly in your opinion?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'd start with Ansible.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

The best way is the one you rejected - put a UF on each source system.  Many people have done it with far more than 200 servers so don't let that stop you.  Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier.  Be sure to have a Deployment Server configured to handle configuration of the UFs.

---
If this reply helps you, Karma would be appreciated.

woodlandrelic
Path Finder

Hi @richgalloway 

what stanza should be on the inputs.conf on the server?

some examples are saying there should be a host. Should there?

Host

monitor:

index =

sourcetype =

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Put in inputs.conf the things you want the UF to send to Splunk.  Perhaps the most common is [monitor://foo] to read text files as they get new text.  Also common are [WinEventLog://...] on Windows servers and [perfmon://...] to collect performance metrics.

Start with a few enabled stanzas as a POC and to ensure you don't overwhelm the environment (Splunk or the network).  You can add or enable other inputs via the Deployment Server later.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...