I'm having this specific use case : I need to retrieve Windows OS logs from multiple machine via Splunk UF and Splunk Microsoft TA, forwards those logs to an intermediate HF in charge of parsing and anonymization, and then forward again to another HF.
Since an image worth 1000 words, I imagine those two architecture possibilities :
Choice 1 :
Choice 2 :
Points I wonder about :
- Within choice 1, is it a problem to have props and transforms in a apps deployed on UFs ? Same question, is it a problem to have some inputs.conf on the Linux HF1 ?
- I will have other use case like this, would you recommend to gather all anonymization (within props & transforms) within a dedicated app, or would you put those in each TA related to the use case (so basically here like choice 1 of architecture) ?
- Create 2 different server classes for windows and linux distributions.
- Splunk_TA_windows will need to be deployed on the windows server classes only.
- The anonymization of the logs should be done via a dedicated app and on the full fledged Splunk Enterprise Installation which in your case is Linux HF. The universal forwarders are incapable for transforming the data.
- Push the dedicated anonymizer app to linux HFs via deployment server through the server class created for linux distributions.
- This way you won't need to have windows input enabled/present on the linux instances nor would you have to push the anonymizer configs on the unwanted UF instances.