Guys, I currently have Splunk Enterprise 6.5.0 Free running on a W2k8 R2 host and Universal Forwarders (Windows host) and direct syslog (unix host) feeding log data into it fine.
i am working here on the assumption that Splunk licensing comes into play at the indexer and that any paring down of unwanted events at the Heavy Forwarder will reduce the licensing liabilities? is this assumption correct?
I want to evaluate the Heavy Forwarder parsing functionality for data volume licensing reasons and am wondering if I can combine the two functionalities of the Heavy Forwarding and Indexing on a single VM host? I don't think I can but am trying to limit the number of VMs I have to run for this test scenario. Please refer to the high tech test scenario diagram below :-)
External Host | | Splunk Enterprise Server |
Log Data | >>>>>>>>>>>>>>>>>>>>> | Heavy Forwarder >>>> Indexer |
Thanks in anticipation. kevbod
↧