What is the best way to setup forwarding?

mkmur55 · ‎04-02-2018

First time Newbie. I have 2 VMs running RHEL 7.4. Both are running the Splunk app. 1 is set for forwarding and 1 for receiving from within the app under "Settings". It looks like it's working but I also see references to Universal Forwarders. What is the best way to go? This is just for learning purposes.

Thanks

Mike Murphy

skoelpin · ‎04-02-2018

The remote server that is forwarding data should have a Universal Forwarder installed and the server that is receiving the data should have a full Splunk Enterprise install

Here's info for the Universal Forwarder

http://docs.splunk.com/Documentation/Forwarder/7.0.3/Forwarder/Configuretheuniversalforwarder

sloshburch · ‎04-26-2018

To build on this, while "best" is an "it depends" provoking question, I want to share with you that when I first started playing with Splunk, I also started with the classic full Splunk Enterprise install. Only after learning more and understanding the differences in forwarder types was I able to make a more informed choice to switch to the Universal Forwarder.

So, there's nothing "wrong" with what you're doing. I suggest, as you get more comfortable, read some of this material to learn more about the choices you are able to make, should you choose to make them.

Also, take a peek at the system requirements for Splunk on VMs. Those VMs are probably fine to play with but there's things to consider and min specs to get to when it's time to party in production.

What is the best way to setup forwarding?

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability