Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone delineate the advantages/disadvantages of using the universal forwarder vs. the oneshot command?

jaredlaney
Contributor
‎09-15-2015 09:00 AM

My team has been thinking about changing to the Splunk CLI oneshot command instead of the Splunk Universal Forwarder configs and traditional monitoring.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-15-2015 09:09 AM

So you are contemplating recreating all of the functionality that a forwarder provides by coding it yourself and using the oneshot command and the method of injecting stuff into Splunk? WHY???? That is crazy! I find it difficult to imagine something that you might like to add to a forwarder that you cannot already do using Splunk's own forwarder configuration capabilities. Are you joking or am I misunderstanding you?

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-15-2015 09:09 AM

So you are contemplating recreating all of the functionality that a forwarder provides by coding it yourself and using the oneshot command and the method of injecting stuff into Splunk? WHY???? That is crazy! I find it difficult to imagine something that you might like to add to a forwarder that you cannot already do using Splunk's own forwarder configuration capabilities. Are you joking or am I misunderstanding you?

Reply
Solved! Jump to solution

jaredlaney
Contributor
‎09-15-2015 09:24 AM

What else does it provide besides buffering, failover, and a round robin load balance (not a true load balance)? That is what I'm trying to explain to them.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-15-2015 09:30 AM

Let's see: SSL, multiple destinations, buffering, transforming, timezoning, debugging tools, C&C by Deployment Server, Integration into DMC...

0 Karma
Reply
Solved! Jump to solution

jaredlaney
Contributor
‎09-15-2015 09:44 AM

Thanks for the ammunition. They relented... 🙂

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-15-2015 09:41 AM

Not to mention Windows event log black/white lists, continuous file monitoring (oneshot would have to be scripted), Windows perfmon/powershell collection natively, etc etc etc.

@jaredlaney, what problem is your team seeing that caused this change of heart? I bet it can be fixed......

0 Karma
Reply
Solved! Jump to solution

jaredlaney
Contributor
‎09-15-2015 09:50 AM

We have static log files that get created once a day and we're looking for a way to verify that the data made it to Splunk. We're thinking that we'd have to query Splunk through the Rest interface to verify that the data made it.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎09-15-2015 09:54 AM

Then, simply put, use the UF. Then in Splunk, write a saved scheduled report that finds that data. If count < 1, then it didn't make it. If it is count > 0, then you are good to go.

0 Karma
Reply
Solved! Jump to solution

jaredlaney
Contributor
‎09-15-2015 09:45 AM

Our files are static and we don't do Windows but definitely true.

0 Karma
Reply
Solved! Jump to solution

jaredlaney
Contributor
‎09-15-2015 09:20 AM

I'm not but I need reasons to convince my team otherwise.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...