Getting Data In

How to configure universal forwarders (deployment clients) on Windows machines to send logs to Splunk Light?

tejasplunk
Engager

Complete Splunk beginner here.

I am learning to use Splunk. We have a bunch of Windows machines that we want to pull the logs from.

This is what I understand from the docs, but please correct me if I am wrong.

  1. Install Splunk Light full version on one of the servers.
  2. Install universal forwarders on however number of machines you want (tick the logs you want to forward and give the ip address and port number of the Splunk Light instance) default 9997.
  3. Go to Splunk Web, now I go to forward data, but it says there are no deployment clients configured to talk to this Splunk instance! I didn't get this deployment server and deployment client. Do I need a deployment server in my scenario? Where are all the forwarders are supposed to forward events to in a single instance of Splunk Light?
  4. I started seeing the host under search tab, under host. (Is this how the forwarder is supposed to work?) as the hosts added pop-up here.

Thanks. The docs are confusing as there is a mix up of Splunk Enterprise with Splunk Light and they are not comprehensive enough for the multitude of options you can configure with Splunk.

andrewb_splunk
Splunk Employee
Splunk Employee

Based on feedback such as yours we are working to make the Splunk Light forwarding documentation clearer and more self-contained. In the meantime, the following topics in the Splunk Light docs should provide the info that you need to get started:

The process of configuring your forwarders as deployment clients is optional, but is required if you want to use the Add Data workflow in the Splunk Light user interface (instead of managing data inputs at the command line or config file level on each forwarder).

shadcollins
Engager

An issue is the Receive Data from forwarder doesn't appear to actually work. It says there are no forwarders configured when there are because data is coming in from file's being ingested.

Not only is the documentation bad, it just doesn't work.

It feels like Splunk Light is a second-class citizen. It is hard to sell this to clients when it is almost impossible to set up without doing everything in the back-end with file configurations.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...