I am learning to use Splunk. We have a bunch of Windows machines that we want to pull the logs from.
This is what I understand from the docs, but please correct me if I am wrong.
Install Splunk Light full version on one of the servers.
Install universal forwarders on however number of machines you want (tick the logs you want to forward and give the ip address and port number of the Splunk Light instance) default 9997.
Go to Splunk Web, now I go to forward data, but it says there are no deployment clients configured to talk to this Splunk instance! I didn't get this deployment server and deployment client. Do I need a deployment server in my scenario? Where are all the forwarders are supposed to forward events to in a single instance of Splunk Light?
I started seeing the host under search tab, under host. (Is this how the forwarder is supposed to work?) as the hosts added pop-up here.
Thanks. The docs are confusing as there is a mix up of Splunk Enterprise with Splunk Light and they are not comprehensive enough for the multitude of options you can configure with Splunk.
Based on feedback such as yours we are working to make the Splunk Light forwarding documentation clearer and more self-contained. In the meantime, the following topics in the Splunk Light docs should provide the info that you need to get started:
Receive data from a forwarder. In particular you might have missed the step in this topic about configuring your Splunk Light instance to receive data.
The process of configuring your forwarders as deployment clients is optional, but is required if you want to use the Add Data workflow in the Splunk Light user interface (instead of managing data inputs at the command line or config file level on each forwarder).