Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to send data to Splunk clsuters from Windows without UF

payl_chdhry
Path Finder
‎05-27-2021 02:57 AM

Hi,

I am new to working without splunk agents/universal forwards for ingesting data into Splunk. I need to know how application can send data to Splunk indexer/HF, is there exact step provided.

 

Would it via HEC or by TCP port. And how could users set this up in this way to continuously send data.

 

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-30-2021 11:15 PM

HI @payl_chdhry,

If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen  the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.

You could also use Indexers to take HEC logs but you need anyway a Load Balancer.

If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.

At the end I hint to think again to your solution and take in consideration Universal Forwarders.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-27-2021 03:28 AM

Hi @payl_chdhry,

you could use WMI to query Windows hosts and take logs, but I don't like this solution because you have to use an account with administrative privileges.

For more infos see  at https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindow... and https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/MonitorWMIdata .

I hint to use everytime Universal Forwarders because this permits to you to:

  • filter unwanted logs on UF,
  • compress transmitted logs,
  • condifure max bandwidth occupation,
  •  cash logs if there are problems on Indexers or Network.

If you want to use WMI put this input in a dedicated Heavy Forwarder.

In addition you don't have HA because you have to configure only one HF at a time to vaoid to take logs twice.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎05-30-2021 10:25 PM

Thanks gcusello! We do not want to pull the logs, windows team would send the logs to us and they will take care of filtering out data if required. I am looking at enabling HEC on our Heavy forwards. I will create another question for this as I am a bit confused how it will work for clustered environment.

 

Thanks,

Payal

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-26-2024 11:27 PM

Hi @payl_chdhry ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-30-2021 11:15 PM

HI @payl_chdhry,

If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen  the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.

You could also use Indexers to take HEC logs but you need anyway a Load Balancer.

If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.

At the end I hint to think again to your solution and take in consideration Universal Forwarders.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...