Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to send application logs at the universal forwarder directly to my searchhead?

singhkrmanish76
New Member
‎11-30-2017 01:48 AM

I want to fetch DNS and DHCP logs from my server directly to my local system, where I have my Splunk enterprise, without implementing HF and others.

Is it possible to do so? If yes then how? Kindly help!

0 Karma
Reply

woodcock
Esteemed Legend
‎12-01-2017 01:20 PM

Why? What would the Search Head do with them (it is not an Indexer)?
Take a step back. What is the problem that you think this will solve?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-30-2017 05:14 AM

It could be possible.

You don't provide any details on where the logs are, how they are stored/recorded or anything like that, so I'll have to give a generic answer.

First, keep handy the Splunk Getting Data In manual, it's really very useful.

If the server storing the logs is windows and the logs are stored on disk, you could map a drive from your system to the logs folder then just read them off that mapped drive. This is probably not ideal, but should work fine for reasonably light log files (e.g. you aren't ingesting 200GB/day over this I hope).

For testing you could just manually copy a pile of the log files to your system into a local folder that you've told Splunk to monitor - repeat as required. This is a pain in the rear unless you really just need to do a little testing, but if that's all you need is some data to play with and you don't mind copying more data every now and then, it can be just fine.

If on the other hand it's in the windows event logs, I'd really suggest the universal forwarder - the install is quick and painless, the configuration to read the event logs is easy and it'll work much better than any other method.

If it's a *nix box of some sort, well, both "file" ways still hold true. Mapping a drive could be done with SMB or NFS, copying can be done via whatever method you'd like to use. The sky's the limit.

If you really wanted, you could probably write a script that sends it in via HEC (documented in Splunk docs) or some other method, but I'd stick with the simple, easy ones. Trying to go any farther means, IMO, that you should just install the UF. It's really not a big deal. 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...