Hi. I'm trying to deploy the Splunk app for NetApp ONTAP (v. 2.0.1). In the documentation it shows intermediate forwarders for collecting and forwarding NetApp Data ONTAP logs. Here: http://docs.splunk.com/Documentation/NetApp/2.0.1/DeployNetapp/WhataSplunkAppforNetAppDataONTAPdeplo...
Do you actually need these intermediate forwarders or can the NetApp Data ONTAP logs be sent directly to the Splunk Enterprise instance?
Thank you.
From a purely functional perspective, your syslog sources can directly send their data to Splunk indexers.
However, it's good practice to have a forwarder between syslog and indexers, running a syslog daemon on the forwarder and reading its logfile. That way you don't lose syslog data during indexer maintenance, e.g. for adding new index-time configuration, and you get a simple way to loadbalance the logs between the indexers.
From a purely functional perspective, your syslog sources can directly send their data to Splunk indexers.
However, it's good practice to have a forwarder between syslog and indexers, running a syslog daemon on the forwarder and reading its logfile. That way you don't lose syslog data during indexer maintenance, e.g. for adding new index-time configuration, and you get a simple way to loadbalance the logs between the indexers.