This PoC uses the Splunk Universalforwarder and Heavyforwarder as the main ingesting component.
In this PoC the Universalforwarder is used to monitor the /usr/share/data/accesss.log-file on the local filesystem and output the data to the heavyforwarder.
The heavyforwarder receives data from the universalforwarder and monitors the local /usr/share/data/accesss.log-file. The heavyforwarder then forwards the data to Splunk.
Splunk then stores the data in the http_logs index. When searched, Splunk applies the access_combined sourcetype to extract fields.
To run the PoC simply execute the run.sh script. It will start all the docker-container and apply runtime configuration, aswell as output log messages and cleanup after you exit.
Connectivity-configuration is handled in the docker-compose.yml. Splunk configuration is applied using apps (see apps-directory). Forwarder configuration is handled via the Forwarder-Management: Configuration is stored in apps in the deployment-apps-directory of splunk and is then automatically distributed to forwarder, according the assigned serverclasses.
