Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Indexer vs universal forwarder

nareshinsvu
Builder
‎08-23-2020 08:31 PM

Hi,

 I have a remote file (on  server 2) which can be accessed directly from my Indexer (on server 1). What is the best and recommended way to ingest data from that file into indexer

 

1) Read directly from indexer's inputs.conf (monitor://remote-path to the file) - Everything on server 1

2) Install universal forwarder on the target machine and forward data (complete log file. no props and transforms) - indexer on server1 and forwarder on server 2

 

Whats the main difference between these 2 options? pros and cons?

 

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-23-2020 11:23 PM

Hi @nareshinsvu,

you have a little confusion:

props.conf and transforms.conf are on Indexer in both cases because they work in the parsing, merging and typing phases.

Instead inputs.conf depends on the choose you're working.

There're only one exception to this rule: in the input of csv files, props.conf must be also on Forwarder.

Anyway, answering to your question: if possible using a Universal Forwarder on the target server is the best approach because you optimize the input phase and the network bandwidth.

In addition (if you like) you can encrypt transmission.

The other solution is to use if you cannot install the UF on the target server: e.g. it's an old operative system or there aren't resources or simply you don't want to install nothing on it.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-23-2020 11:23 PM

Hi @nareshinsvu,

you have a little confusion:

props.conf and transforms.conf are on Indexer in both cases because they work in the parsing, merging and typing phases.

Instead inputs.conf depends on the choose you're working.

There're only one exception to this rule: in the input of csv files, props.conf must be also on Forwarder.

Anyway, answering to your question: if possible using a Universal Forwarder on the target server is the best approach because you optimize the input phase and the network bandwidth.

In addition (if you like) you can encrypt transmission.

The other solution is to use if you cannot install the UF on the target server: e.g. it's an old operative system or there aren't resources or simply you don't want to install nothing on it.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2020 12:36 AM

Hi @nareshinsvu,

Good!

ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...