We have Splunk installation in a distributed environment with search head clustering and indexer clustering enabled and managed via a master node.
We are currently in the process of ingesting network logs into Splunk.
During the POC (non-clustered env) we installed several networking Splunk apps/add-ons like Arista Switch Source, F5 Sources, Palo Alto Firewall, etc. We deployed them on the search head and configured them to directly read syslogs via some UDP port. [Network devices are sending logs to syslog directly without the need of UF].
Now in PROD, we are in a clustered environment and I am wondering what is the best way to manage configurations? I see at least 2 options -
1 - Install the apps on the search heads and configure the app same way we did in POC, where the search head is reading the data of the UDP port and forwarding it to Indexers
2 - Install the apps on the search heads but don't use the app to configure the inputs and source types. Manage them outside the app's installation and push them via master node to the indexers. This way, load is on the Indexers where they are reading the data off the UDP ports and are indexing.
Are there other approaches (help outline pros and cons) without using UF?
Thanks!
↧