Complete Splunk beginner here.
I am learning to use Splunk. We have a bunch of Windows machines that we want to pull the logs from.
This is what I understand from the docs, but please correct me if I am wrong.
Thanks. The docs are confusing as there is a mix up of Splunk Enterprise with Splunk Light and they are not comprehensive enough for the multitude of options you can configure with Splunk.
Based on feedback such as yours we are working to make the Splunk Light forwarding documentation clearer and more self-contained. In the meantime, the following topics in the Splunk Light docs should provide the info that you need to get started:
The process of configuring your forwarders as deployment clients is optional, but is required if you want to use the Add Data workflow in the Splunk Light user interface (instead of managing data inputs at the command line or config file level on each forwarder).
An issue is the Receive Data from forwarder doesn't appear to actually work. It says there are no forwarders configured when there are because data is coming in from file's being ingested.
Not only is the documentation bad, it just doesn't work.
It feels like Splunk Light is a second-class citizen. It is hard to sell this to clients when it is almost impossible to set up without doing everything in the back-end with file configurations.