I am new to Splunk. I have set it up on my server, set up an indexer, and set up the logging in my switch, but I have no data. I do not see the option for Cisco:ios. How do you install the technology plugin?
The best practice is to use a syslog aggregation tier and then use the Universal Forwarder on top of your syslog server(s). This gives you the most reliability, auto-load balances the data if you have a distributed setup and will not cause data loss if you need to re-start your Splunk infrastructure. I highly recommend you go this route.
If you don't have syslog servers then you can syslog directly to Splunk.
