Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a heavy forwarder to forward data to Splunk Cloud?

Dayane_tr
Path Finder
‎06-01-2022 10:35 AM

I didn't find the cloud documentation very clear...

Do I need to install splunk enterprise separately to have heavy for warder and then configure my splunk cloud license?

Do I need to ask splunk support for an enterprise license?
After all, how do I configure a heavy forwarder? And what address do I put in Universal forwarder? From the IP or hostname cloud?

I've read the following threads and it gets more and more confused:

https://www.splunk.com/en_us/resources/videos/splunk-cloud-tutorial.html

https://community.splunk.com/t5/Getting-Data-In/How-to-set-up-a-heavy-forwarder-to-forward-data-to-S...

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Admin/WindowsGDI  Step2

Can you help me please?

 

Regards

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎06-04-2022 01:03 AM

As @gcusello said - it's a bit complicated to advise a proper architecture for a particular case. There are many conditions and border cases which might need to be taken into account. As I see, there are various source systems which need to be connected (and for each there should be a propper connection type chosen and configured). It looks like a fully blown deployment project for which you should contact either Professional Services or your local Splunk partner who employs skilled architects which will do that with you.

View solution in original post

Reply
Solved! Jump to solution

Dayane_tr
Path Finder
‎06-05-2022 10:26 PM

Hello @PickleRick 

Thank you very much for your help.

The situation is a little more complex when it comes to activating SPLUNK support here in Brazil. My client switched support and it's the first time I have to “help” with “simple architectural design” in an environment that I didn't set up. The customer does not have access to the panel for us to open a ticket, that's why so many questions. You helped me a lot around here.

Regards.

Day 🙂

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-03-2022 11:42 PM

Hi @Dayane_tr,

I don't think that you can install an UF on Fortigate, and I'm not sure on SentinelOne because they are closed systems.

Usually these kind of systems send theyr logs by syslog to a Splunk server (HF or UF).

Anyway, correct architecture is to have two HFs (better) or eventully two UFs with a Load Balancer in front  (eventually a DNS configuration) to distribute load and manage fail over of one of the two machines.

The App distributed by Splunk Cloud for the connection, must be installed on all machines that directly communicate with it, usually the two HFs or UFs used as concentrators.

All the other UFs must be configured to send their logs to the concentrators.

About Architecture, it isn't a thing that can be solved in Communty, you need the intervene of a Splunk Architect.

I hint to follow at least a course fo Splunk Admin and engage a Splunk Architect or a Splunk PS to design your architecture.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Dayane_tr
Path Finder
‎06-05-2022 10:11 PM

Hi @gcusello 

Sorry if I bothered you with so many questions! This is a forum, and I believe I can ask as many questions as necessary to clear my doubts? Right?

When I referred to architecture...well, I asked for a simple drawing and not someone to do the work for me.m 🙂

Thank you very much for your attention and patience here. I found many different solutions with other kind colleagues on this issue. Success in your career.

Grazie Mille

D.

 

 

 

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-05-2022 11:54 PM

Sure thing. The community is for sharing the knowledge and that's what we're trying to do here.

It's just that sometimes we pass the level of details that we're effectively moving into what a qualified person should do on-site. Like sitting with you, getting the _detailed_ information about the infrastructure and desiging the proper solution. Because otherwise, without the full knowledge of your setup it's easy to misadvise and we wouldn't want that 🙂

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-05-2022 11:37 PM

Hi @Dayane_tr,

don't worry, it's always a pleasure!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...