Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Understand which hosts sends logs to which Splunk Component

SplunkExplorer
Contributor
‎02-29-2024 01:56 AM

Hi Splunkers, today I have a problem about understanding how and where Log Sources sends logs to Splunk.
In this particular Splunk On Prem environments, no documentation has been done, except the HLD.
So, we have to understand, for each log source, what Splunk component it reaches and how.
For example, if I have a Domain Controller, we must establish:

  • Where it sends logs? Directly to Indexers? To a HF?
  • A UF is installed on it? If not, how it send logs? WMI? WEF? Other

And so on.

Now, List of servers sending logs to Heavy forwarder is a community discussion where I started from @scelikok suggested search, changed it in:

 

 

index=_internal component=TcpOutputProc 
| stats count values(host) as host by idx 
| fields - count

 

 

and it helped me a lot: I'm able, for each Splunk Component of env (IDS, HF and so on) to understand what Log sources send them data.

So, what's the problem? The above search return data forwarded by another Splunk component.
I mean, in the output, field idx has always format ip/hostname:9997, so it means that data are coming from a server with UF or from another Splunk host (we have some intermediate forwarder, so sometimes I can see data ingested by an HF coming from another HF). What about data sent not with a Splunk agent/host?
For example, suppose I have this flow:

Log source with Syslog -> Splunk HF receive on port 514

With above search, I cannot see those sources (and I know for sure they exist on our env).
How can I recover it? The syslog is only an example, the key point here is: I must complete my search with all log sources that do not use UF and/or any other Splunk element, but other forwarding tool/protocol (syslog, API, WEF, and so on).

0 Karma
Reply
1 Solution
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎02-29-2024 07:31 AM

Hi @SplunkExplorer 

> Where it sends logs? Directly to Indexers? To a HF?

A Splunk UF generally will send the logs to indexer. but if your indexer is overloaded and if you want to do some preprocessing beforehand, then you should use a HF(from UF, send the logs to HF.. HF will do some parsing tasks, then it will send the logs to indexer)

> A UF is installed on it? If not, how it send logs? WMI? WEF? Other

yes, WMI options is available. and if you can not install the UF, then you can use a syslog server to collect the logs from all systems that dont have UF and send it to a HF or indexer.. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-29-2024 06:37 AM
Hi
Have you look this doc https://docs.splunk.com/Documentation/Splunk/9.2.0/InheritedDeployment/Introduction ?
r. Smo
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...