Hello,
I have 2 questions as below:
First, i installed Splunk in Windows server 2008 (local user). How to use another computer connect to that computer in order to control Splunk remotely (computer i use maybe at the same company network, or in internet) ?
Second, how to know that the fowarder is active and not cut down from network to which Splunk connect? I read the documents and know 2 methods:
- if fowarder is computer, we can use Scripted input with ping command
- Fowarder is switch, router, ... that is implemeted SNMP protocol, can use SNMP trap to send to Splunk, and if there is no data for a certain time, we can imply it's disconnected from network.
Am i right? or i lack something ?
Your first question does not entirely make sense to me. Splunk has its own webserver, known as Splunkweb, which you can use to access it remotely, assuming all of your firewall and etc allows it. If it doesn't, you'll need to configure it to allow it. Anything you cannot do via SplunkWeb you will need to use something like Remote Desktop to connect to the server as if you were at its console.
The second question, you need to be more careful of terminology. A Splunk forwarder is only one thing - it is a computer that has the Splunk software loaded on it. Switches and routers are not (and for the forseeable future cannot be) forwarders. Switch and router vendors typically do not support installing 3rd party software products on their equipment.
For a genuine Splunk forwarder, there is a periodic checkin that can be monitored via the Deployment Monitor app in Splunk.
For your switches and routers, you can use the the absence of events as a hint that they are down, but it is just a hint. You might use a scripted input on the Splunk indexer to poll them via SNMP and confirm they can answer you, which would be an even better hint.