Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPLUNK Universal Forwarder - Will it to the job

willadams
Contributor
‎04-26-2018 04:40 PM

My configuration is as follows:

WIndows Machine with a logging agent (using SNARE as unable to use SPLUNK UF due to other requirements) ==> Logs sent to a CentOS virtual machine with SPLUNK Universal forwarder on it ==> CentOS UF transmits logs to SPLUNK Enterprise

This configuration works and I get the logs I need. In it's current state it will do it's job but I am thinking when I scale this whether or not the SPLUNK universal forwarder on the CentOS machine is capable of handling the log throughput (moving from 1 machine to say 250). The intent is to simply use the CentOS machine and its SPLUNK UF to push this up to SPLUNK Enterprise. I don't care about log retention on the CentOS machine.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎04-26-2018 06:57 PM

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎04-26-2018 06:57 PM

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-26-2018 07:24 PM

Thanks. The filtering is already done at the agent so will continue on with the UF and not the HF.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-26-2018 04:42 PM

Some additional info the logs are being streamed across so the only time the data gets to rest is when it gets to SPLUNK Enterprise.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...