Deployment Architecture

Prefered architecture for logs anonymization | Windows OS logs


Hello Splunkers,

I'm having this specific use case : I need to retrieve Windows OS logs from multiple machine via Splunk UF and Splunk Microsoft TA, forwards those logs to an intermediate HF in charge of parsing and anonymization, and then forward again to another HF.

Since an image worth 1000 words, I imagine those two architecture possibilities :

 Choice 1 :


Choice 2 :



Points I wonder about :

- Within choice 1, is it a problem to have props and transforms in a apps deployed on UFs ? Same question, is it a problem to have some inputs.conf on the Linux HF1 ?

- I will have other use case like this, would you recommend to gather all anonymization (within props & transforms) within a dedicated app, or would you put those in each TA related to the use case (so basically here like choice 1 of architecture) ?


Thanks a lot for your help !


0 Karma

Path Finder

Hello @GaetanVP,

Below is something that might be helpful for you:

- Create 2 different server classes for windows and linux distributions.

- Splunk_TA_windows will need to be deployed on the windows server classes only.

- The anonymization of the logs should be done via a dedicated app and on the full fledged Splunk Enterprise Installation which in your case is Linux HF. The universal forwarders are incapable for transforming the data.

- Push the dedicated anonymizer app to linux HFs via deployment server through the server class created for linux distributions.

- This way you won't need to have windows input enabled/present on the linux instances nor would you have to push the anonymizer configs on the unwanted UF instances.

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...