My question is, can a Heavy Forwarder perform remote WMI data collection or this feature requires an Indexer?
I have read this and other splunk documentation but I can't find an answer for this.
Can anyone help? Thank you.
Yes, it can.
A heavy forwarder is essentially just a regular Splunk installation that has been configured to forward data. WMI data collection functionality is included in all types of Splunk installations, including light and heavy forwarders.
Okay this is good news, it answers my question as well except now I'm left wondering how it works. The remote performance monitoring data input requires that an index be specified. When a heavy forwarder is doing the collecting does this index imply the one at the actual index server or the one on the heavy forwarder? If it's going on the heavy forwarder index AND being forwarded, how do I clear out the local index so it's not building up a big index like the one on my receiver/indexer?
I can rig a forwarder and have the same machine do remote performance monitoring. Is that all there is to it or do I need to configure something else so it's working the way I expect, ie collecting data at the forwarder then sending the data to the indexer for storage?
Yes, it can.
A heavy forwarder is essentially just a regular Splunk installation that has been configured to forward data. WMI data collection functionality is included in all types of Splunk installations, including light and heavy forwarders.
Thank you.