Monitoring Splunk

installing splunk agent impact on Servers performance.

New Member

we are going to deploye splunk in our organizations but before deployement there are some Questions .

1 )if we will install splunk agent on Microsoft windows servers 2003/2008 Domain controllers , DHCP servers , DNS Servers , Application Servers and database servers(what will be the performance issue).

2) what types of privlages required to install splunk agent on all the above servers([domain Admin or services account etc.…])

3) if there will be any issue appeared what will be the roll back plan.

4) what about technical support.

5) Knowledge Base / Lesson learnt / Awareness from previous customers.

6) we already have Bit9 and MANDIANT in residing in DCs and are in production, please explore the possibilities of possible impact due to existing agents etc…

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Splunk doesn't employ an agent.
What you are looking for, is information on the Splunk Universal Forwarder, an unobtrusive "listening" service that forwards data to the indexer or a Splunk Heavy Forwarder which has more features and functions, including the ability to index locally, therefore requires a bit more resource.

You'll want to read through the documentation on the subject, even if your fellow Splunk customers share their stories, it will help to be more familiar with the terminology and function of each component.
Here is a good starting point for a windows installation:

Your questions regarding credentials are answered there.

You may also want to read the prior sections which discuss the concept of forwarding in general.

Technical Support is available as part of your Enterprise License. You should confirm with your Sales Account Manager as to whether that is included in your license agreement.

In general, performance issues are considered minimal, however benchmarking is recommended so that you understand how much data you are going to be Splunking (what events types exactly,?what is the volume on that particular server,? will you include performance counters also?) you will be best prepared to calculate the impact.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...