All Apps and Add-ons

How to onboard data from multiple servers?

woodlandrelic
Path Finder

Hi,

I am trying to monitor data from about 200 servers diff sources. What is the best way to do this easily and efficiently. I am on a time crunch. Any help will be fantastic. I understand that putting a universal forward the sever will pull data to the indexer. But I cant do that for over 200 servers. HELP.

Thanks

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The best way is the one you rejected - put a UF on each source system.  Many people have done it with far more than 200 servers so don't let that stop you.  Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier.  Be sure to have a Deployment Server configured to handle configuration of the UFs.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodlandrelic
Path Finder

Am happy to report everything is working fine. Thanks for your immense help.

 

woodlandrelic
Path Finder

Hi @richgalloway 

Thanks for the quick response. The of these management tools are beginner friendly in your opinion?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'd start with Ansible.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

The best way is the one you rejected - put a UF on each source system.  Many people have done it with far more than 200 servers so don't let that stop you.  Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier.  Be sure to have a Deployment Server configured to handle configuration of the UFs.

---
If this reply helps you, Karma would be appreciated.

woodlandrelic
Path Finder

Hi @richgalloway 

what stanza should be on the inputs.conf on the server?

some examples are saying there should be a host. Should there?

Host

monitor:

index =

sourcetype =

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Put in inputs.conf the things you want the UF to send to Splunk.  Perhaps the most common is [monitor://foo] to read text files as they get new text.  Also common are [WinEventLog://...] on Windows servers and [perfmon://...] to collect performance metrics.

Start with a few enabled stanzas as a POC and to ensure you don't overwhelm the environment (Splunk or the network).  You can add or enable other inputs via the Deployment Server later.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...