Deployment architecture

rashid47010 · ‎05-08-2018

I have
I want to send windows logs through heavy forwarder to indexer.

on windows server, I install universal forwarder and put Heavy forwarder ip:9997.
already configure listening on heavy forwarder.

now how can I see event in indexer.

jaracan · ‎05-09-2018

Hi,

somesoni2 · ‎05-08-2018

Did you setup data inputs to collect the data on UF?

adonio · ‎05-08-2018

why would you want to use a Heavy Forwarder?
try and avoid using HF unless you must have it
take a look at this link to troubleshoot:
http://docs.splunk.com/Documentation/Splunk/7.1.0/Troubleshooting/Cantfinddata

rashid47010 · ‎05-08-2018

hi
this is just a start of completed architecture.
However I achieve this.
Now where can I filter the events
on HF OR UF ?

Please advise.

skoelpin · ‎05-08-2018

Theres very specific use cases for using a HF. You should typically let the indexers do the parsing

FrankVl · ‎05-08-2018

Specifically for windows events, you can filter those using whitelist or blacklist settings in inputs.conf on the UF.

rashid47010 · ‎05-08-2018

Hi Frank,

Please share some example on this.

FrankVl · ‎05-09-2018

Just have a look at the inputs.conf spec and accompanying examples. Or check out my accepted answer here: https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html

Are you a member of the Splunk Community?