All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to onboard data from multiple servers?

woodlandrelic
Path Finder
‎09-22-2022 09:32 AM

Hi,

I am trying to monitor data from about 200 servers diff sources. What is the best way to do this easily and efficiently. I am on a time crunch. Any help will be fantastic. I understand that putting a universal forward the sever will pull data to the indexer. But I cant do that for over 200 servers. HELP.

Thanks

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-22-2022 09:42 AM

The best way is the one you rejected - put a UF on each source system.  Many people have done it with far more than 200 servers so don't let that stop you.  Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier.  Be sure to have a Deployment Server configured to handle configuration of the UFs.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎09-22-2022 03:48 PM

Am happy to report everything is working fine. Thanks for your immense help.

 

Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎09-22-2022 10:59 AM

Hi @richgalloway 

Thanks for the quick response. The of these management tools are beginner friendly in your opinion?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-22-2022 11:02 AM

I'd start with Ansible.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-22-2022 09:42 AM

The best way is the one you rejected - put a UF on each source system.  Many people have done it with far more than 200 servers so don't let that stop you.  Use management tools such as Puppet, Ansible, SCCM, , etc., to make the job easier.  Be sure to have a Deployment Server configured to handle configuration of the UFs.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎09-22-2022 01:00 PM

Hi @richgalloway 

what stanza should be on the inputs.conf on the server?

some examples are saying there should be a host. Should there?

Host

monitor:

index =

sourcetype =

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-22-2022 01:35 PM

Put in inputs.conf the things you want the UF to send to Splunk.  Perhaps the most common is [monitor://foo] to read text files as they get new text.  Also common are [WinEventLog://...] on Windows servers and [perfmon://...] to collect performance metrics.

Start with a few enabled stanzas as a POC and to ensure you don't overwhelm the environment (Splunk or the network).  You can add or enable other inputs via the Deployment Server later.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...