Solved: Re: Can Heavy Forwarder perform remote WMI data co...

fernandoandre · ‎05-25-2012

My question is, can a Heavy Forwarder perform remote WMI data collection or this feature requires an Indexer?

I have read this and other splunk documentation but I can't find an answer for this.

Can anyone help? Thank you.

Ayn · ‎05-25-2012

Yes, it can.

A heavy forwarder is essentially just a regular Splunk installation that has been configured to forward data. WMI data collection functionality is included in all types of Splunk installations, including light and heavy forwarders.

View solution in original post

cignul9 · ‎10-30-2012

Okay this is good news, it answers my question as well except now I'm left wondering how it works. The remote performance monitoring data input requires that an index be specified. When a heavy forwarder is doing the collecting does this index imply the one at the actual index server or the one on the heavy forwarder? If it's going on the heavy forwarder index AND being forwarded, how do I clear out the local index so it's not building up a big index like the one on my receiver/indexer?

I can rig a forwarder and have the same machine do remote performance monitoring. Is that all there is to it or do I need to configure something else so it's working the way I expect, ie collecting data at the forwarder then sending the data to the indexer for storage?

Ayn · ‎05-25-2012

Yes, it can.

A heavy forwarder is essentially just a regular Splunk installation that has been configured to forward data. WMI data collection functionality is included in all types of Splunk installations, including light and heavy forwarders.

fernandoandre · ‎05-25-2012

Thank you.

Can Heavy Forwarder perform remote WMI data collection?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases