Adding Servers monitored by Splunk

dina_vaghjiani · ‎10-17-2012

We are going through the process of adding more servers to our fleet and monitor them with splunk.
1. Does anyone know an easy way of grabbing a list of all the servers which currently report into splunk?
2. And does anyone know how I can configure a server to report to a newly added splunk server?

Many Thanks

[edited title]

yannK · ‎11-02-2012

It depends of what you want to do :

to get the list of the monitored hosts, do a search on the host
get the list of your existing forwarders, enable the "Deployment Monitor" app and look at the reports of the forwarders
to add new indexers, and load balance your data between all your indexers :

Here is the classic procedure to add a new indexer to the cluster.

On the new indexer,

define all the indexes,
setup all the props/transforms required for the indexing of your sourcetypes.
open the listening ports (splunktcp 9997 by example)
List item

On the search-head,

add the new indexer as a search-peer (manager > distributed search)

On each forwarders :

edit outputs.conf to add the new indexer to the tcpout server list for details http://docs.splunk.com/Documentation/Splunk/4.0/Admin/Configureround-robindatabalancing

dina_vaghjiani · ‎11-02-2012

Hi I mean "sending logs". We have a number of servers whose log files we can analyse via splunk, I want to know the full list of which servers and how to add a server.

bmacias84 · ‎10-17-2012

@dina_vaghjiani, Are you looking for getting your new splunk server or forwarders to "report into" a Deployment server or licensing server.

Ayn · ‎10-17-2012

Define "report into" - do you mean that they're sending logs, or that they're deployment clients, or a bit of both?

Adding Servers monitored by Splunk

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases