Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send data to Splunk clsuters from Windows without UF

payl_chdhry
Explorer
‎05-27-2021 02:57 AM

Hi,

I am new to working without splunk agents/universal forwards for ingesting data into Splunk. I need to know how application can send data to Splunk indexer/HF, is there exact step provided.

 

Would it via HEC or by TCP port. And how could users set this up in this way to continuously send data.

 

Thanks!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-27-2021 03:28 AM

Hi @payl_chdhry,

you could use WMI to query Windows hosts and take logs, but I don't like this solution because you have to use an account with administrative privileges.

For more infos see  at https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindow... and https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/MonitorWMIdata .

I hint to use everytime Universal Forwarders because this permits to you to:

  • filter unwanted logs on UF,
  • compress transmitted logs,
  • condifure max bandwidth occupation,
  •  cash logs if there are problems on Indexers or Network.

If you want to use WMI put this input in a dedicated Heavy Forwarder.

In addition you don't have HA because you have to configure only one HF at a time to vaoid to take logs twice.

Ciao.

Giuseppe

0 Karma
Reply

payl_chdhry
Explorer
‎05-30-2021 10:25 PM

Thanks gcusello! We do not want to pull the logs, windows team would send the logs to us and they will take care of filtering out data if required. I am looking at enabling HEC on our Heavy forwards. I will create another question for this as I am a bit confused how it will work for clustered environment.

 

Thanks,

Payal

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-30-2021 11:15 PM

HI @payl_chdhry,

If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen  the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.

You could also use Indexers to take HEC logs but you need anyway a Load Balancer.

If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.

At the end I hint to think again to your solution and take in consideration Universal Forwarders.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...