Hi guys,
Just a few quick questions about getting Splunk server data into splunk!
Our splunk environment collects a large amount of security data from thousands of sources, yet, we don't collect any security data from the Splunk servers themselves (they run on Redhat linux OS). I was thinking of adding all of our servers (Cluster master, license master, deployer etc) to our deployment server and create a server class with the the *nix TA to ingest the relevant host data we want. Is this the best solution or does anyone have any better ideas on how to do it?
Also, can the deployment server be a client of itself? How do we get data from it to our indexer cluster if not?
Is the indexer cluster okay with forwarding data to itself?
Any help would be appreciated.
Cheers!
↧