Advantages to using Splunk Universal Forwarders or Splunk REST API?
Question
I'm currently using Splunk as a way to index generated log files from a Java application. I have a Splunk Enterprise instance running using development data (on a local server), and currently the log data is just being pushed to Splunk via their REST API (using their Java SDK).
However, this Java app will eventually be used against production data, live on AWS EC2 instances. I'm wondering if there's any advantages to ditching their REST API and implementing Splunk Universal Forwarders on these EC2 instances.
Would there be any advantages? When is it appropriate to use forwarders instead of the REST API?
From what I can gather, the forwarders do well at scale, so perhaps this is an advantage? I've searched around but didn't find any clear-cut comparisons between the two, so I was hoping someone on here would perhaps have a better idea.
1 answers
solution1
2 ACCPTED 2015-01-06 08:33:29
Splunk REST API is really meant for integration with external apps and requests to manage the already indexed data.
Any serious volume coming in should be handled by the Universal/Heavy Forwarders as they were purposely developed for that function (thus orders of magnitude more efficient).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.