- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring Computers connect to a network
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Install a Splunk Universal Forwarder on each remote computer. Configure the forwarder to send the desired information to your indexer(s).
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the doc, but unfortunately, my Splunk's CLI keeps exiting as soon as I open it, so I can't add the forwarder as an input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree that using a forwarder is usually the best and easiest way. A good documentation read can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkcanmonitor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


How Splunk reaches out to other computers depends on the computer and how the data is stored. Splunk DB Connect, for example, can extract data from an SQL database. Scripted inputs can be created where the script launches a program that queries other computers for data and indexes it in Splunk. Using a forwarder is usually the easiest way.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I most likely am going to use forwarders then, but how can Splunk be configured to grab data from other computers? It sounds to be more difficult to set up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Splunk can only search for and alert on data in its indexes. While it's possible for Splunk to grab data from other computers, the more common approach is for the other computers to send data to Splunk. If the data you need is already indexed then you don't need a forwarder.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the main computer with Splunk has access to the Users via the Network, and I'm looking for specific data, can I just use the Add Data and fill out the information to, say, record if a User incorrectly logs in 5 times and send an email alert? Or do I still have to set up the forwarder?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Correct. Fortunately, they'll all be configured the same so all you have to do is set up one and copy the config to the others.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each forwarder, then, needs to be configured to handle data on the local system and only send information I specify to the main computer, correct?
