- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Installing Splunk as Indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am interested in using Splunk! as an indexer, but would like to query other servers/controllers in the network for specific information. Is this possible with 4.2.1 Forwarder?
We are looking to take our Splunk installations down from every server (250+) to one server that queries other servers remotely.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand the question, the answer is yes.
A possible implementation would be:
Install a single Splunk indexer on a Linux or Windows server.
Install the Splunk Universal Forwarder on each [production] server that you want to monitor. Configure each forwarder to send the appropriate data to the Splunk indexer.
You could call this the "push" method. As events happen on the production servers, the information is forwarded and indexed. The events will be searchable on the indexer almost immediately after they occur (depending on network latency etc etc)
If you want a single indexer to "pull" data from the production servers, without installing the Splunk forwarders on the production servers, the answer is maybe - but you probably don't want to do it that way. Splunk can do remote WMI for Windows servers, but it is actually faster to use the Universal Forwarder in most cases. And there are other ways to set up your environment, too, using network inputs and/or scripted inputs.
I would not generally recommend an environment where a single server polled all the production servers, with no agent software on the production servers, whether for Splunk or anything else. I think you could have some issues with performance, latency, resilience, restart/recovery, etc. -- problems that the Universal Forwarder has already solved for you,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand the question, the answer is yes.
A possible implementation would be:
Install a single Splunk indexer on a Linux or Windows server.
Install the Splunk Universal Forwarder on each [production] server that you want to monitor. Configure each forwarder to send the appropriate data to the Splunk indexer.
You could call this the "push" method. As events happen on the production servers, the information is forwarded and indexed. The events will be searchable on the indexer almost immediately after they occur (depending on network latency etc etc)
If you want a single indexer to "pull" data from the production servers, without installing the Splunk forwarders on the production servers, the answer is maybe - but you probably don't want to do it that way. Splunk can do remote WMI for Windows servers, but it is actually faster to use the Universal Forwarder in most cases. And there are other ways to set up your environment, too, using network inputs and/or scripted inputs.
I would not generally recommend an environment where a single server polled all the production servers, with no agent software on the production servers, whether for Splunk or anything else. I think you could have some issues with performance, latency, resilience, restart/recovery, etc. -- problems that the Universal Forwarder has already solved for you,
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
