Solved: Re: Office 365 logs

tmardan · ‎09-17-2020

Hello!

How can I add Office 365 logs to my Splunk if I have 1 search head and 2 indexers and using distributed search?

Should I install all add-ons on 1 indexer and make all configurations on it and all add-ons and app on search head?

thambisetty · ‎09-17-2020

I recommend HF.

Indexers are generally overloaded with requests coming from search head.

You can Install on Indexer if they are not overloaded.

————————————
If this helps, give a like below.

richgalloway · ‎09-18-2020

Start by reading the docs for the add-ons and apps you plan to install. They should say where they want to be installed.

In general, inputs should not be defined on indexers in a distributed environment. Doing so is likely to cause duplicated data. Put them on a heavy forwarder, instead. See https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall

---
If this reply helps you, Karma would be appreciated.

thambisetty · ‎09-18-2020

exactly. To separate workloads to different worker machines.

————————————
If this helps, give a like below.

tmardan · ‎09-18-2020

As I understood at this moment I can use for it universal forwarder too?

thambisetty · ‎09-21-2020

you can't use UF as it doesn't have python included in package.

————————————
If this helps, give a like below.

tmardan · ‎09-17-2020

Thank you for answer!

You mean deploy heavy forwarder on another machine and configure it to receive logs from Office365 and then send them to my indexers?

thambisetty · ‎09-17-2020

I recommend HF.

Indexers are generally overloaded with requests coming from search head.

You can Install on Indexer if they are not overloaded.

————————————
If this helps, give a like below.

Office 365 logs