Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPLUNK Universal Forwarder - Will it to the job

willadams
Contributor
‎04-26-2018 04:40 PM

My configuration is as follows:

WIndows Machine with a logging agent (using SNARE as unable to use SPLUNK UF due to other requirements) ==> Logs sent to a CentOS virtual machine with SPLUNK Universal forwarder on it ==> CentOS UF transmits logs to SPLUNK Enterprise

This configuration works and I get the logs I need. In it's current state it will do it's job but I am thinking when I scale this whether or not the SPLUNK universal forwarder on the CentOS machine is capable of handling the log throughput (moving from 1 machine to say 250). The intent is to simply use the CentOS machine and its SPLUNK UF to push this up to SPLUNK Enterprise. I don't care about log retention on the CentOS machine.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎04-26-2018 06:57 PM

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎04-26-2018 06:57 PM

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-26-2018 07:24 PM

Thanks. The filtering is already done at the agent so will continue on with the UF and not the HF.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-26-2018 04:42 PM

Some additional info the logs are being streamed across so the only time the data gets to rest is when it gets to SPLUNK Enterprise.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...