Knowledge Management

Splunk Cloud - Universal Forwarder and DBConnect questions

sdintino_splunk
Splunk Employee
Splunk Employee

One of the main questions we have right now is - where are the Universal Forwarders installed? We had talked about having them on each client and having a deployment server to control pushing configs out to those clients. Correct?

We were discussing this and wondering:
• How does the traffic going out to the Splunk Cloud, get throttled?
• How does the Deployment Server interact with each client?
• Is there an agent?

The second thing is DBConnect. In our “Manage apps”, I see a message saying we need to request this app be installed. How does the DB connect app on Splunk Cloud, talk to our SQL servers? Will it do this through the deployment server?

In one way we were wondering if it might be easier to have everything route though the heavy forwarder than to try and get the ports open on every server.

Also, do we need to purchase licenses to install Splunk Enterprise on the Heavy Forwarder and Deployment Server if we go that way?

Thanks!!

Tags (1)
1 Solution

ansif
Motivator
  • Splunk forwarders are light weight agents installed on all endpoint machines(where ever possible) to pull data and sent to Splunk cloud.
  • Both deployment server and forwarder has Splunk daemon process which interacts each other (default 8089 port but can be changed)
  • An universal forwarder, a small footprint agent.
  • Splunk has mainly 2 package,one is universal forwarder and other is Splunk enterprises.You need to built a system with Splunk enterprise and install DB connect app there.The DB connect app from this instance will directly interact with your DB instance to pull data and send it over Splunk cloud.You can use Deployment server to install DB connect app since deployment server uses Splunk enterprise installation.
  • You can configure a single splunk server to collect all your data and send it to Cloud.Keep it in mind it is really depend on how much data you are transferring through a single server.
  • Splunk license requires only when you index data locally.But I thinnk you require dummy licenses for other instances.Better contact sales persons.

NB:- Regarding Splunk cloud prerequisites and cost,please reach out to sales persons.They will answer all your queries and suggest you better splunk deployment in you environment.Accept this answer if you find helpful.

View solution in original post

ansif
Motivator
  • Splunk forwarders are light weight agents installed on all endpoint machines(where ever possible) to pull data and sent to Splunk cloud.
  • Both deployment server and forwarder has Splunk daemon process which interacts each other (default 8089 port but can be changed)
  • An universal forwarder, a small footprint agent.
  • Splunk has mainly 2 package,one is universal forwarder and other is Splunk enterprises.You need to built a system with Splunk enterprise and install DB connect app there.The DB connect app from this instance will directly interact with your DB instance to pull data and send it over Splunk cloud.You can use Deployment server to install DB connect app since deployment server uses Splunk enterprise installation.
  • You can configure a single splunk server to collect all your data and send it to Cloud.Keep it in mind it is really depend on how much data you are transferring through a single server.
  • Splunk license requires only when you index data locally.But I thinnk you require dummy licenses for other instances.Better contact sales persons.

NB:- Regarding Splunk cloud prerequisites and cost,please reach out to sales persons.They will answer all your queries and suggest you better splunk deployment in you environment.Accept this answer if you find helpful.

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...