Deployment Architecture

splunk add on builder or forwarder

youSayGo
Explorer

Hi, I am SE for a company, for our customers, we have log files available via an URL API, ex https://logs.company.com/api, we use a Python script to obtain our logs, the script is run on a Splunk Forwarder which sends the various logs to a Splunk Enterprise. This all works fine. I have an external customer that uses this method described above but now they want to switch to Splunk Cloud. Previously, their Forwarder and Indexer were installed on premises. My question: what is best method to get the same logs into Splunk Cloud? Should we use the existing Forwarder and re-run it to point from local Enterprise to new Splunk Cloud? Or should we use the Splunk Add On Builder? What is confusing me are knowing when or not to use the Add On Builder? I hope I provided enough info for just a high level architecture decision.

Why would we build and use a Splunk Add On instead of using a Forwarder? 

Current: URL API Logs are extracted via a Python script (with a TOKEN) running on a local Linux Forwarder which sends the logs to a local premises Splunk Indexer.

New Option 1: URL API Logs are extracted via Python script (with TOKEN) running on a local Linux Forwarder which sends the logs to Splunk Cloud

New Option 2: URL API Logs are extracted via Splunk Add On (with TOKEN?) running <where?> which sends the logs to Splunk Cloud. 

Thank you, Shane

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The Add-On Builder is not an alternative to forwarders.  The AoB is used to construct Splunk apps, but those apps still need a place to run - a forwarder.

Have the external customer download the Universal Forwarder app from Splunk Cloud and install it on their forwarders.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The Add-On Builder is not an alternative to forwarders.  The AoB is used to construct Splunk apps, but those apps still need a place to run - a forwarder.

Have the external customer download the Universal Forwarder app from Splunk Cloud and install it on their forwarders.

---
If this reply helps you, Karma would be appreciated.

youSayGo
Explorer

Hi, thank you very much for the reply, question answered and upvoted. Ill stay away from AoB until I come across the use case, until then...Universal Forwarder is the plan. Thank you, Shane

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...