Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can Heavy Forwarder monitor a Folder and forwards to Splunk indexer ?

premrajvs
Explorer
‎11-08-2022 04:56 AM

I want to run some commands on my splunk Heavy forwarder servers and output the results to a folder. I want to monitor these folders and push the data to Splunk indexers. Is my only option installing Universal forwarders on the same server or configuring inputs and outputs.conf ?

Labels (2)
Labels
0 Karma
Reply

premrajvs
Explorer
‎11-08-2022 06:22 AM

@gcusello The servers I am referring to are Heavy Forwarder Servers. They are not application servers. I want to run few commands on these Heavy Forwarder servers and output the results to  files and this data I want to push to Splunk and track it. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-05-2024 06:29 AM

Hi @premrajvs ,

you can input these files on an HF in the same way of on UF and also by GUI (it's easiest).

Then youcan forward them to the indexers.

Why do you want to install an UF on the same server?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 06:36 AM

Hi @premrajvs,

as I said, you can use them to read some files or run some scripts and forwardr data to Splunk.

My question is: why are you using Heavy Forwarders instead Universal Forwarders?

whar are the feature requested to these servers so you decided to use HFs instead UFs?

HFs require more hardware resources (at least 12 CPU and 12 GB RAM), instead UFs requires very few resources.

The only reason to have HFs is that you need them to run some special apps e.g. to pull data from Cloud Providers or from Active Directory, if you have only to read files or execute scripts, you can use an UF.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 06:13 AM

Hi @premrajvs,

absolutely not: if you have an Heavy Forwarder (or another Full Splunk instance), you can use it to input and forward data to Indexers.

The real question is: do you really need an Heavy Forwarder or can you also use a Universal Forwarder?

Because a Universal Forwarder requires less resources than an HF.

Ciao.

Giuseppe

0 Karma
Reply

sturmovik
Loves-to-Learn
‎02-05-2024 05:51 AM

There are situations where an HF needs to forward log and security data located on itself and running an HF and SUF on the same host runs into problems. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...