I am new in splunk and trying to set up a test environment with free license of splunk enterprise.
Below are some of points about test env.
1. It has 1 universal forwarders and fording data to heavy forwarder.
2. I have setup a heavy forwarder by installing a splunk enterprise free version and configured forwarding and receiving on instance (on 9997).
3. I have installed a splunk instance and only configured receiving for a particular port (9997).
Now my questions are -
1. Is it possible to set up such test env by free license ?
2. Which server i should configured as deployment server (i.e heavy forwarder or main splunk instance) ?
3. I can see in metrics.log that tcpconnection is there from heavy forwarder and throughput logs are also updating for heavy forwrader IP but no any data in GUI of main splunk instance ?.
4. Do i need to configure heavy forwarder as deployment server for universal forwarder and configure splunk instance as depoyment server for heavy forwarder ?
Thanks in advance.
answering to your questions:
Is it possible to set up such test env by free license ?
yes at https://www.splunk.com/en_us/products/features-comparison-chart.html you can see which features are disabled in free license;
Which server i should configured as deployment server (i.e heavy forwarder or main splunk instance) ?
in a test environment you can use the one you like, remember that in a production environment and if you have more than 50 clients you have to use a dedicated server;
I can see in metrics.log that tcpconnection is there from heavy forwarder and throughput logs are also updating for heavy forwrader IP but no any data in GUI of main splunk instance ?
if you want logs from each Splunk server of your distributed environment you have to configure all servers (except Indexers) to forward their logs to Indexers, in this way yoo centralized all Splunk logs and you can use Splunk Monitoring Console App;
Do i need to configure heavy forwarder as deployment server for universal forwarder and configure splunk instance as depoyment server for heavy forwarder ?
Usually Deployment server is one, otherwise you risk to lose control of your deployment clients,
I used more than one DS only when I had restricted networks, so I used two HF as UFs concentrator (limiting in this way firewall openings), these UFs were managed by one of there HFs as DS.
if you can the best solution is to use as DS one dedicated machine also in test; remember that anyway Search Heads Clusters and Indexers Clusters aren't managed by Deployment Server;
in addition, if your Heavy Forwarders are also syslogs servers, you cannot manage them by DS because there's risk to restart them to update in the same time, loosing syslogs.
I hope to be useful for you.
Thank you very much for the reply. Your answers are very useful.
I have one more query -
Since i am not getting data in main indexer GUI.
Is there anything else we have to do to capture data from HF except forwarding and receiving at HF and receiving at Main indexer ?.
on HFs you can filter logs and eventually send them to a third party system (e.g. external SIEM).
On HF you can use local data for searching giving a partial view to local users but I never made it,
in my projects I used HFs only for two reasons:
About the Main index, you can create all the indexes you need to archive your logs.
1.) No (and Yes) Splunk 'free' is limited in what you can do. Notable features which are disabled include deployment server. https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/MoreaboutSplunkFree . You can however, install the trial "at no cost" but it will be time limited to 60 days. This may satisfy your needs?
2.) Splunk best practice says deployments servers should not share roles with other fucntions, however in reality nothing prevents you from running it on the indexer or HF. Since this is a Lab, the choice is yours - however - see 4.
3.) You can access those logs through the UI - search for
4.) A deployment client can not be a client of itself, so if you want to test pushing apps to the index, make the HF the DS. If you want to test pushing apps to HF, choose the indexer - If you want to push apps to both indexer and HF, you will need another server.
However my issue/query is -
Heavy Forwarder sends data to main indexer. I have configured the forwarding and receiving at heavy forwarder and receiving at main indexer. but there is no any data in GUI.
1. Do i need to click on add data icon in GUI and add the directory or port to get the data from HF ?.
Have you installed any universal forwarders?
If you have installed a UF on linux you will likely not see any logs at all in the main index (unless you have explicitly configured them)
Windows UFs install with a GUI and would have let you choose some files to monitor.
However - you should have data in the internal index if its all working - try searching for