We are evaluating Splunk 4, and one of the interests from our managment team is to know if Splunk can assist us with collecting specific event log data from 11000 windows XP devices.
The purpose, for example, would be to identify all devices that have not logged a reboot event in the past 7 days allowing us to alert off of that information or to alert off of disk errors.
From what I read, Splunk 4 could use WMI to get the event logs, not sure if its able to get just specific types of events yet...
Is this something we could realistically do with minimal impact to the network and devices? Given the numbers would we need multiple splunk servers at various sites collecting the event logs and then forwarding them up? If so, anyone have an idea on approximatley how many Splunk forwarders would be needed to accomodate 11000 devices? Most geographical sites have about 2,000 devices each.
Is there a better solution I should be looking at that will collect the data and feed it into Splunk for analysis?
... View more