Last time when i used it, i have deployment server and it was okay. I can install APP on splunk forwarder and receive data from this app to Splunk cloud

Hi @itsupport42 ,

as @richgalloway said the best thing is to install a dedicated server to run as a Deployment Server.

If you don't want to do this, you can manually (or using a third party tool) install your add-ons you your Universal Forwarders.

But take attention to the idea to use an HF as a concentrator!

Ciao.

Giuseppe

I disagree with the practice of using intermediate forwarders. They add complexity, points of failure, and can impede search performance by not distributing events evenly among indexers.

Do you have some instruction on how install addons on Universal ?

Hi @itsupport42 ,

which add-ons are you speaking of?

if there isn't any particular requirement (see on documentation), to install an add-on on a Universal forwarder, you have only to untar the package in the $SPLUNK_HOME/etc/apps folder and then restart Splunk on UF.

Ciao.

Giuseppe

But how i can get addons from Splunk Cloud to Universal?

I need to understand, that Splunk universal forward received data from syslog of meraki udp 1496 and send it to Splunk cloud. And using addon for meraki for correct logs

From deployment server i can do this easily but without it. I want to understand what my steps

I need only Splunk Cloud and Universal Forward.

Hi @itsupport42 ,

usually it's a best practice to have two or more Heavy Forwarders between UFs and Splunk Cloud to avoid to open too many routes between your servers and internet and i suggest to take in consideration this idea!

Anyway, you can use a dedicated Deployment Server to manage your Forwarders.

Ciao.

Giuseppe

Because I need to use specific addon that can send data correct to Splunk cloud

Hi @itsupport42 ,

why you cannot use Heavy Forwarders between UFs and Splunk Cloud?

I think that your add-on can work also with intermediate Heavy Forwarders!

Ciao.

Giuseppe