Re: Can we install a Splunk Universal Forwarder on...

Gregski11 · ‎06-14-2022

so I want to know how long our Splunk servers have been up for, I got the query and it works great on hundreds of other servers but not on our two dozen Splunk servers (Cluster Master, Deployment Servers, Indexers, Search Heads, etc.) I think it is because we do not have the Universal Forwarder installed on them, so can we install it on the Splunk servers or am I dense and missing something and we can just use some of the Splunk Enterprise component to send Even Log data to our Indexers

gcusello · ‎06-14-2022

Hi @Gregski11,

you don't need to install a forwarder on your Splunk servers, you have only to forward their internal logs to Indexers.

You can do this in a simple way: [Settings -- Forwarding and receiving -- Forwarding].

This is a best practice for all Splunk infrastructure, in this way you can monitor your Splunk infrastructure using the Splunk Monitoring Console App.

Ciao.

Giuseppe

Gregski11 · ‎06-14-2022

@gcusello wrote:
Hi @Gregski11,
you don't need to install a forwarder on your Splunk servers, you have only to forward their internal logs to Indexers.
You can do this in a simple way: [Settings -- Forwarding and receiving -- Forwarding].
This is a best practice for all Splunk infrastructure, in this way you can monitor your Splunk infrastructure using the Splunk Monitoring Console App.
Ciao.
Giuseppe

the Monitoring Console does not give us what we need? I want to be able to see how long our Splunk servers have been up for, ie how many days?

Gregski11 · ‎06-14-2022

thanks, this is what I see, does this mean this Search Head is not configured to forward it's data to an Indexer?

Can we install a Splunk Universal Forwarder on an actual Splunk server?

universal forwarder

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann