Deployment Architecture

splunk add on builder or forwarder

youSayGo
Explorer

Hi, I am SE for a company, for our customers, we have log files available via an URL API, ex https://logs.company.com/api, we use a Python script to obtain our logs, the script is run on a Splunk Forwarder which sends the various logs to a Splunk Enterprise. This all works fine. I have an external customer that uses this method described above but now they want to switch to Splunk Cloud. Previously, their Forwarder and Indexer were installed on premises. My question: what is best method to get the same logs into Splunk Cloud? Should we use the existing Forwarder and re-run it to point from local Enterprise to new Splunk Cloud? Or should we use the Splunk Add On Builder? What is confusing me are knowing when or not to use the Add On Builder? I hope I provided enough info for just a high level architecture decision.

Why would we build and use a Splunk Add On instead of using a Forwarder? 

Current: URL API Logs are extracted via a Python script (with a TOKEN) running on a local Linux Forwarder which sends the logs to a local premises Splunk Indexer.

New Option 1: URL API Logs are extracted via Python script (with TOKEN) running on a local Linux Forwarder which sends the logs to Splunk Cloud

New Option 2: URL API Logs are extracted via Splunk Add On (with TOKEN?) running <where?> which sends the logs to Splunk Cloud. 

Thank you, Shane

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The Add-On Builder is not an alternative to forwarders.  The AoB is used to construct Splunk apps, but those apps still need a place to run - a forwarder.

Have the external customer download the Universal Forwarder app from Splunk Cloud and install it on their forwarders.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The Add-On Builder is not an alternative to forwarders.  The AoB is used to construct Splunk apps, but those apps still need a place to run - a forwarder.

Have the external customer download the Universal Forwarder app from Splunk Cloud and install it on their forwarders.

---
If this reply helps you, Karma would be appreciated.

youSayGo
Explorer

Hi, thank you very much for the reply, question answered and upvoted. Ill stay away from AoB until I come across the use case, until then...Universal Forwarder is the plan. Thank you, Shane

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...