Looking to set up a Heavy Forwarder as a data processing server. We get data logs in a specific format dropped on our production machines, but it needs to be opened and converted to CSV by a special script. Since the data originally drops on the production servers, there is also a process that follows it on the same server and converts it to CSV, which is then picked up by the Universal Forwarder and sent to the Indexer.
I would like to move the conversion process from the production server and save potential performance impact and push these to a Heavy Forwarder, which would then execute the script and send the results forward to the Indexer. Is it possible to do this with Splunk Forwarders, or do I need to look into an automated copy process from the production servers to the processing server?
↧