Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPLUNK Universal Forwarder - Will it to the job

willadams
Contributor
‎04-26-2018 04:40 PM

My configuration is as follows:

WIndows Machine with a logging agent (using SNARE as unable to use SPLUNK UF due to other requirements) ==> Logs sent to a CentOS virtual machine with SPLUNK Universal forwarder on it ==> CentOS UF transmits logs to SPLUNK Enterprise

This configuration works and I get the logs I need. In it's current state it will do it's job but I am thinking when I scale this whether or not the SPLUNK universal forwarder on the CentOS machine is capable of handling the log throughput (moving from 1 machine to say 250). The intent is to simply use the CentOS machine and its SPLUNK UF to push this up to SPLUNK Enterprise. I don't care about log retention on the CentOS machine.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎04-26-2018 06:57 PM

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎04-26-2018 06:57 PM

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-26-2018 07:24 PM

Thanks. The filtering is already done at the agent so will continue on with the UF and not the HF.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-26-2018 04:42 PM

Some additional info the logs are being streamed across so the only time the data gets to rest is when it gets to SPLUNK Enterprise.

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...