Hi Splunkers,

a customer demanded us a Splunk architecture proposal regarding his own environment.

I never designed Splunk archs, so I searched on web and I found some valid documents, like the "Splunk Validate Architecture"; the point is that the total architecture (Splunk + Environment to monitor) is quite particular.

The desiderd customer architecture is the following one:

Data sources -> Mulesoft -> Splunk Cloud SaaS -> Mulesoft

Additional info:

1. No agent must be installed in the Mulesoft environment.
2. No ES required

So, the flow data are the following ones:

1. All data sources send their logs to Mulesoft environment
2. Mulesoft send the data to Splunk; so, from a Splunk prospective, Mulesoft it is the only "big" one data source.
3. Splunk make correlation and, if an alarm trigger, send back data to Mulesoft

So, my open points here are 2.

1. Due Mulesoft it is the only one data source, even it is a big one, and has its own HA management systems (so it is not in charge of Splunk environment to manage this task), I think I have no reason to use a forwarder as an "intermediate host" and I can send logs directly to Splunk with Token mechanism and Log4j configs in Mulesoft; are there some reasons I didn't get that could validate the use of a Forwarder between Mulesoft Environment and Splunk one?

2. If an alarm trigger, I have to forward back it to Mulesoft system. I know I can perform some response action when an alarm trigger: send an email, execute a script, and so on. What could be the best action to send back data to Mulesoft?