Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make my computer (with splunk) receive data from another computer on the same network in real time?

Alepy
Explorer
‎06-11-2020 01:57 PM

I'm trying to receive all the behaviour from a computer in real time, and receive the data in my other computer that has Splunk Enterprise already installed.

Both computers in the same network.

What is the best way to make this happen?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-12-2020 05:27 AM

Hi @Alepy,

the best way is to install on the target computer a Splunk Universal Forwarder to take logs from it.

You can find documentation about this at https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/WhatSplunkcanmonitor#:~:text=To%20get%20data...

Obviously it depends on the operative system of the target computer (Windows or Linux) and on the kind of logs to take (wineventlogs, application logs, scripts execution logs, etc...)

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-12-2020 08:55 AM

Hi @Alepy,

to take logs from windows the best approach is using a Universal Forwarder and the Splunk_TA_Windows, so you have to:

  • on Splunk Enterprise enable receiving [Settings -- Forwarding and receiving -- Receive Data],
  • install the Splunk UF on the target server,
  • configure UF to send logs to the Splunk Enterprise: splunk add forward-server <host>:<port> -auth <username>:<password> (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Deployaforwarder ),
  • copy and untar the Splunk_TA_Windows ( https://splunkbase.splunk.com/app/742/ ) in $SPLUNK_HOME\etc\apps of the target server,
  • make a copy of inputs.conf in Splunk_TA_Windows (copy from default folder in local folder),
  • modify the local version changing disabled=0 in the stanzas you need,
  • restart Splunk on the target server.

this Technical Add-On (TA) already contains all the inputs for you, but by default are disable, so you have to enable the ones you need.

Ciao.

Giuseppe

0 Karma
Reply

TorbenH
Loves-to-Learn Lots
‎06-12-2020 04:10 AM

Hi Alepy,

you will need a universal forwarder on your machine which you want to monitor and your machine with Splunk Enterprise on it needs to listen on a port where your data is sent to.

1. Enable a listening port in Splunk Web on your receiving machine: Settings -> Forwarding and receiving -> Configure receiving: Add new -> Give it a listening port ( for example: 9997 )

2. Install a windows universal forwarder on your system where you want to collect your logs. During the installation process you will be asked to input the address of your receiving indexer:  IP:9997. There will also be a step where you can already enable windows event and performance logging. You should leave this one empty and finish the installation.

3. Go to Splunkbase and download "Splunk Add-On for Microsoft Windows". It is free to use. Under details you can find a link to the documentation of that Add-On which will help you with installation.

4. After you completed those steps your data should be forwarded to your virtual machine and you can investigate it. To make it easier you can also install the "Splunk App for Windows infrastructure". This will enhance your Splunk Web experience with pre configured dashboards and virtualizations.

0 Karma
Reply

TorbenH
Loves-to-Learn Lots
‎06-12-2020 04:03 AM

Hi Alepy,

for this task you will need a universal forwarder on the machine that will be sending the data and the receiving machnine will need to listen on a port you are sending the data to. Im assuming from your last post that you want to send the logs from your local Windows system to the Windows system on your virtual box.

1. Make sure you the systems can find each other in the network.

2. Log into your Splunk Enterprise system on your Virtual Box and go to "Settings" -> "Forwarding and receiving" -> "Configure receiving" -> "New receiving port". Give it port 9997 and confirm.  

3. Download a Windows universal forwarder on and install it on your machine which you want to monitor.

You can find the download to the windows forwarder here: https://www.splunk.com/de_de/download/universal-forwarder.html

Installation tutorial: https://docs.splunk.com/Documentation/Forwarder/8.0.4/Forwarder/InstallaWindowsuniversalforwarderfro...

At some point in the installation you can add the destination of your receiving indexer ( your virtual box windows ). Put in the IP + port your defined on your Splunk Enterprise machine ( 9997 ). You can also configure Windows monitoring at some point which i didnt do yet, so i can't give you an advice on this one. The way i did it was to leave that point empty and install the "Splunk Add-On for Microsoft Windows" and "Splunk App for Windows Infrastructure" for Windows monitoring. You can find those apps here on Splunk base with links to their documentation. They are free to use.

Splunk Add-on for Microsoft Windows: https://splunkbase.splunk.com/app/742/

Windows app for infrastructure: https://splunkbase.splunk.com/app/1680/

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-11-2020 02:00 PM
You'll have to be more specific. What data do you want to send to Splunk? What do you want to do with it? What platform is the source computer running on?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Alepy
Explorer
‎06-11-2020 03:14 PM

Hi thanks for the reply...

- I want to send to Splunk the performance of the computer (disk space, etc...) and the Windows event logs.

- I'm almost graduating, and I decided to create a project that envolved Splunk Enterprise, and because I'm not very familiar with it, I came here to clear my ideas.

- The computer with Splunk Enterprise is running on Windows 10 Home, and I'm started working with Splunk from Splunk Web.

 

 

0 Karma
Reply

Alepy
Explorer
‎06-11-2020 03:35 PM

The computer that has Splunk Enterprise is running Windows 10 Home but it's a virtual machine (VirtualBox) by the way.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...