Getting Data In

Taking over an old Splunk deployment, how should I get data forwarded to our Splunk indexer?

mhuntington
Explorer

Hello,

As I've said in a previous post, I am new to Splunk so please excuse the newb questions.

I have been tasked with taking over our Splunk project which was installed about 6 years ago and mostly idle ever since. Now I have 2 weeks to get certain dashboards running. Keep in mind I do not have a strong IT background, but I do have people who can assist me.

My question is about what to use to get certain information to the indexing server. When this system was initially set up, consultants came in and used universal forwarders, but they had several problems. One work around was to use SQL Server agent to help collect some of the network data. I'm sure Splunk has grown over the past 6 years, so now I am wondering what I should use, possibly even instead of forwarders. I am thinking about reinstalling Splunk from scratch.

For instance, here are some of the things I want to collect. If someone could point me in a direction as to what to use I would appreciate the help. I've tried searching Splunk Knowledgebase, but there is so much, I'm just now sure which direction to go (which apps to use, etc).

Antivirus update data (I was told they had a problem getting Symantec to play nice in the past)
Bandwidth data
Failed logins
File auditing after hours
Barracuda backup data
Firewall data (this monitored is on a separate management computer so may not work)

Thanks again.

0 Karma

Raghav2384
Motivator

Hey @mhuntington,

I am afraid to say there's no one answer or a simple answer to your question. You are right about splunk, it changed a lot over the years and now lot of stuff can be done with few clicks / simple configs.

  1. Assuming, When you say taking over an existing system, are you are talking about migrating it to a new instance? If so, have you ever thought of converting the old instance as a forwarder to your new instance? That way, only think you have to make sure is connectivity between old and new instances + same indexes / configs should be created on the new indexer. This is simple if the hardware is new and you are now the owner of the legacy hardware. If the hardware is EOL, you are now back to square one
  2. If it has to be re-created as brand new setup (Starting everything that use to go to old instance to new instance), i would suggest you to go and ask little more time than two weeks from leadership, set something up parallel to the old setup. Send data from the data sources you've mentioned to both the instances (Old + new Instances) to validate the data and artifacts. Once the data validation is completed, you can simply shut down the old instance.
  3. This might be a simple option if Time line is a constraint, ask for professional services to do the work. They would be more than happy to get you migrated.

My personal favorites are 1. Convert the old instance as a forwarder to your new instance Or 2. Setup something parallel to the old instance (This instance would be your forwarder/indexers, collecting data from the data sources you've mentioned. Validate, validate and validate...finally shutting down the old instance). Again, there's not going to be a simple answer to your question. We can only post content from our experiences. Hope this helps!

Thanks,
Raghav

0 Karma

mhuntington
Explorer

Thank you Raghav, good advice.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...