Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the pros and cons of installing a UF on same machine as my Splunk instance?

mawomommoh
Path Finder
‎05-27-2018 10:20 PM

I know it is possible to install a UF on the same machine as my Splunk instance as stated in these posts:
1. https://answers.splunk.com/answers/131245/running-a-universal-forwarder-on-the-same-server-as-the-en...
2. https://answers.splunk.com/answers/471936/install-both-universal-forwarder-and-splunk-enterp.html

but I will like to know if there are notable reasons why to do so or not.
- Are there any benefits to having both on the same machine or otherwise?
- What is the best practice and why is that so?
- Which approach is most prone to errors?

Thanks in advance! 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-28-2018 01:01 AM

Don't. 😉

Unless you have a pretty good reason, and a special edge use case, I don't see a good reason to do it.
In general (and by best practice), your Search Heads/Indexers/other full Splunk instances should be dedicated to that role, and don't do anything else. However, if you need to run a certain input/script on them, you can do that without having a seperate UF, and you could distribute such settings from a Deployment server.

So - as mentioned in the other posts you linked, it's possible, but something I'd reserve for a lab/test setup/POC/any other non-productive setup, and also only if I have good reasons. Other than that, you'll have additional overhead/troubleshooting effort, unless you're firm enough with Splunk that this won't cause you trouble. You'd have to setup ports that differ from the defaults, etc.

Basically - tell us why you think of doing this, and we can give you some much better pro/cons. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-28-2018 01:01 AM

Don't. 😉

Unless you have a pretty good reason, and a special edge use case, I don't see a good reason to do it.
In general (and by best practice), your Search Heads/Indexers/other full Splunk instances should be dedicated to that role, and don't do anything else. However, if you need to run a certain input/script on them, you can do that without having a seperate UF, and you could distribute such settings from a Deployment server.

So - as mentioned in the other posts you linked, it's possible, but something I'd reserve for a lab/test setup/POC/any other non-productive setup, and also only if I have good reasons. Other than that, you'll have additional overhead/troubleshooting effort, unless you're firm enough with Splunk that this won't cause you trouble. You'd have to setup ports that differ from the defaults, etc.

Basically - tell us why you think of doing this, and we can give you some much better pro/cons. 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply
Solved! Jump to solution

mawomommoh
Path Finder
‎05-29-2018 04:03 PM

Thanks for the response. So in a situation where the files that need to be forwarded to Splunk are created locally on the machine in which the Splunk instance is installed, wouldn't it be advisable to also install the forwarder on that same machine (being that files will be forwarded faster)?

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-29-2018 04:13 PM

It would actually be slower, because the forwarding causes some overhead.
You can just have the Splunk instance on that server do the input.

Consider the Universal Forwarder to be a subset of a full Splunk instance. A full Splunk instance can do everything a UF can do, at the same speed - but a UF can only do a subset of what full Splunk can do. The UF is only lightweight, and therefore deployed on servers whose primary task isn't Splunk, but something else.

Therefore - just do what ever you want to do using the full Splunk instance.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Solved! Jump to solution

mawomommoh
Path Finder
‎05-29-2018 04:52 PM

Oh, I see. I was thinking that it would be faster because the files would not need to go a long distance as compared to a case in which they are being sent from a different location.

Thanks for the explanation.

Much appreciated! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...