×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Cole-Potter
Loves-to-Learn Lots
Member since: ‎04-26-2023
‎07-10-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-26-2023
Activity Feed
View All

Re: Heavy Forwarder Not Indexing

by in Deployment Architecture
‎07-10-2025 06:46 AM
‎07-10-2025 06:46 AM
First off thank you for the response, we are sub 50 clients currently on the deployment server but very helpful information if we decide to expand.  I probably should have been a little more specific regarding the alert. I am leveraging Splunk cloud for email alert, I would like to be able to index logs locally and forward them because I would like to be able to kick off local scripts on hosts which I was under the assumption would have to be local to the network.  It would be limited inputs I would want to do this with like sub 5 hosts.  Do you know what kind of licensing is required to index with Splunk Enterprise on prim?  ... View more

Heavy Forwarder Not Indexing

by in Deployment Architecture
‎07-09-2025 02:21 PM
‎07-09-2025 02:21 PM
My End Goal: I would like to be able to leverage our windows Splunk deployment server/Splunk enterprise server to receive logs from universal forwarders and alert off events from that Splunk instance then forward the logs to Splunk cloud.  Our current architecture includes Splunk cloud which receives events from an ubuntu forwarder which receives logs from syslog and other universal forwarders installed on windows machines across the network.  Deployment server I believe this also forwards logs to Splunk cloud. There were some apps that required installation on a Splunk enterprise instance and we are receiving that data to cloud and the host field has the deployment server name as host. So I think some of those event are forwarded from the deployment server. I don't think those flow through the ubuntu server I am not exactly sure where to start on trying to figure this out. I have leveraged Splunk documentation for building source inputs and really thrived off of that but I have been hammering at this making changes to outputs.conf and had no success.    It does not appear that any events are being index on the Splunk Enterprise/Deployment Server instance.   Thank you for you help in advanced. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-10-2025 07:09 AM