Getting Data In

What are the pros and cons of installing a UF on same machine as my Splunk instance?

mawomommoh
Path Finder

I know it is possible to install a UF on the same machine as my Splunk instance as stated in these posts:
1. https://answers.splunk.com/answers/131245/running-a-universal-forwarder-on-the-same-server-as-the-en...
2. https://answers.splunk.com/answers/471936/install-both-universal-forwarder-and-splunk-enterp.html

but I will like to know if there are notable reasons why to do so or not.
- Are there any benefits to having both on the same machine or otherwise?
- What is the best practice and why is that so?
- Which approach is most prone to errors?

Thanks in advance! 🙂

0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

Don't. 😉

Unless you have a pretty good reason, and a special edge use case, I don't see a good reason to do it.
In general (and by best practice), your Search Heads/Indexers/other full Splunk instances should be dedicated to that role, and don't do anything else. However, if you need to run a certain input/script on them, you can do that without having a seperate UF, and you could distribute such settings from a Deployment server.

So - as mentioned in the other posts you linked, it's possible, but something I'd reserve for a lab/test setup/POC/any other non-productive setup, and also only if I have good reasons. Other than that, you'll have additional overhead/troubleshooting effort, unless you're firm enough with Splunk that this won't cause you trouble. You'd have to setup ports that differ from the defaults, etc.

Basically - tell us why you think of doing this, and we can give you some much better pro/cons. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac
SplunkTrust
SplunkTrust

Don't. 😉

Unless you have a pretty good reason, and a special edge use case, I don't see a good reason to do it.
In general (and by best practice), your Search Heads/Indexers/other full Splunk instances should be dedicated to that role, and don't do anything else. However, if you need to run a certain input/script on them, you can do that without having a seperate UF, and you could distribute such settings from a Deployment server.

So - as mentioned in the other posts you linked, it's possible, but something I'd reserve for a lab/test setup/POC/any other non-productive setup, and also only if I have good reasons. Other than that, you'll have additional overhead/troubleshooting effort, unless you're firm enough with Splunk that this won't cause you trouble. You'd have to setup ports that differ from the defaults, etc.

Basically - tell us why you think of doing this, and we can give you some much better pro/cons. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

mawomommoh
Path Finder

Thanks for the response. So in a situation where the files that need to be forwarded to Splunk are created locally on the machine in which the Splunk instance is installed, wouldn't it be advisable to also install the forwarder on that same machine (being that files will be forwarded faster)?

0 Karma

xpac
SplunkTrust
SplunkTrust

It would actually be slower, because the forwarding causes some overhead.
You can just have the Splunk instance on that server do the input.

Consider the Universal Forwarder to be a subset of a full Splunk instance. A full Splunk instance can do everything a UF can do, at the same speed - but a UF can only do a subset of what full Splunk can do. The UF is only lightweight, and therefore deployed on servers whose primary task isn't Splunk, but something else.

Therefore - just do what ever you want to do using the full Splunk instance.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma

mawomommoh
Path Finder

Oh, I see. I was thinking that it would be faster because the files would not need to go a long distance as compared to a case in which they are being sent from a different location.

Thanks for the explanation.

Much appreciated! 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...