Re: Spunk Windows TA + Windows Universal Forwarder...

dreadangel · ‎05-14-2019

Hi,

There are any differences between Windows TA + Windows Universal Forwarder and clean Windows Universal forwarder installation?
Could you please specify any?.

Thank you in advamce

dstaulcu · ‎05-14-2019

the uf will ignore props and transforms config files and apply inputs.

koshyk · ‎05-14-2019

I'm not exactly sure what you want as answer as they are all completely different things

Windows Universal Forwarder is just the light weight Splunk collection software. This needs to be installed on your windows clients
Windows TA => This is the brain behind field extraction and enrichment of data. This is installed in your Heavy Forwarders, Search Heads and Indexers . Only the "Inputs" section of this TA needs to be installed in the Universal Forwarders. Best practice is to create your own app (eg MY_windows_inputs) and put all the inputs.conf you require
Clean Installation => I guessing it is the actual installation of the Windows Universal Forwader into the client machine. This is the binary install using an Administrator manually or via tools like SCCM/puppet

lakshman239 · ‎05-14-2019

Just a note - If we install the Windows UF on windows without any input config, we should be able to install the Splunk add on for windows on the endpoints (UF) as well and config inputs [ in a separate app or local]. https://docs.splunk.com/Documentation/WindowsAddOn/6.0.0/User/Install

Spunk Windows TA + Windows Universal Forwarder vs clean Windows Universal forwarder

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)