I have I want to send windows logs through heavy forwarder to indexer.
on windows server, I install universal forwarder and put Heavy forwarder ip:9997. already configure listening on heavy forwarder.
now how can I see event in indexer.
Hi,
Here is a good reference for your deployment architecture. http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
Did you setup data inputs to collect the data on UF?
why would you want to use a Heavy Forwarder? try and avoid using HF unless you must have it take a look at this link to troubleshoot: http://docs.splunk.com/Documentation/Splunk/7.1.0/Troubleshooting/Cantfinddata
hi this is just a start of completed architecture. However I achieve this. Now where can I filter the events on HF OR UF ?
Please advise.
Theres very specific use cases for using a HF. You should typically let the indexers do the parsing
Specifically for windows events, you can filter those using whitelist or blacklist settings in inputs.conf on the UF.
Hi Frank,
Please share some example on this.
Just have a look at the inputs.conf spec and accompanying examples. Or check out my accepted answer here: https://answers.splunk.com/answers/648353/how-to-limit-a-data-sent-to-indexers-to-only-with.html
