Hello every body ,
I have to deploy 3 virtual machines to set up an architecture containing a forwarder, indexer and header.
I am new on splunk side integration.
Can anyone give me his idea?
thank you in advance
Taking into account the info provided above regarding system requirements and architecture, if you want a search head, an indexer, and a forwarder, here are some notes that might help you get up and rolling quickly. I would recommend reading the docs on this as well so you understand it more deeply, but this will be sort of a quick start.
Install Universal Forwarders and configure to send to all Search Peers
Example Universal Forwarder outputs.conf
[tcpout]
defaultGroup = my_search_peers
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
Forward internal SH data to the indexer tier.
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
Taking into account the info provided above regarding system requirements and architecture, if you want a search head, an indexer, and a forwarder, here are some notes that might help you get up and rolling quickly. I would recommend reading the docs on this as well so you understand it more deeply, but this will be sort of a quick start.
Install Universal Forwarders and configure to send to all Search Peers
Example Universal Forwarder outputs.conf
[tcpout]
defaultGroup = my_search_peers
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
Forward internal SH data to the indexer tier.
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
The answer is going to depend on exactly what you are trying to do, you will need to meet the system requirements for Splunk
There are conference talks about sizing, for example from 2015
There is also the capacity planning documentation and the installation manual among many others. I built all my Splunk instances from reading the excellent documentation so that would be a good place to start...
The conf 2017 slides are not uploaded yet but there were a few talks about using docker instances to create Splunk test environments.
You could in your example build 1 Splunk indexer, 1 Splunk search head (distributed Splunk architecture) and your remaining server could be a Splunk heavy forwarder or just a universal forwarder.
Or you could just build a single Splunk instance which is indexer/search head and have just 1 server, it is going to depend on what you are attempting to do.
Alternatively you could look at building an indexer cluster which would require 1 server for cluster master and multiple indexers (or peer nodes).
With Splunk you have two ways to approach the architecture, with a standalone Splunk instance or a distributed set-up. It's much simpler to start with the standalone one, so, that's probably your best choice to begin with.
First off, I am guessing you mean a Forwarder, Indexer and Search Head..
What are you looking for help with? Sizing for the VMs?
I would suggest reading this