Hi all,
I'm new to Splunk Cloud. And looking into a "rapid" implementation. Question - Does the universal forwarder need to installed on each of our servers or should only one server be configured to send all data to Splunk Cloud? What's the best approach to ensure data is being effectively sent to Splunk Cloud?
This answer kinda depends on your environment. For example, if all of your servers are allowed access to Splunk Cloud over public IP address spacing, then install a forwarder everywhere and point them at Splunk Cloud. If you do not allow your servers to have outside access, then i would create a Heavy Forwarder ( does the indexing, but not storage ) that points to Splunk Cloud. Single point out to the Cloud, and all of your internal forwarders would send to the Heavy Forwarder.