Some customers configure all the servers to write their logs to a network share, NFS or otherwise. This setup can be made to work, but it is not ideal.
The advantages of this approach include:
- A forwarder does not need to be installed on each server that is writing its logs to the share
- Only the Splunk instance reading these logs needs rights to the logs
The disadvantages of this approach include:
- The network share can become overloaded and can become a bottleneck.
- If a single file has more than a few megabytes of unindexed data, the Splunk process will only read this one log until all the data is indexed. If there are multiple indexers in play, only one indexer will be receiving data from this forwarder. ...