Splunk comes in multiple product editions:
- Splunk Free
- Splunk Light
- Splunk Enterprise
- Splunk Cloud
Splunk Free, Splunk Light and Splunk Enterprise are hosted on-premises while Splunk Cloud is hosted by Splunk.
Out of these SKUs, Splunk Enterprise and Splunk Cloud are fully supported by uberAgent.
After installation, Splunk operates in Enterprise mode for 60 days after the installation. After that it reverts to Free mode if no license is added.
During the 60-day trial period Splunk is restriced to a daily data volume of 500 MB per day.
To be used in Splunk Cloud, a customer needs to file a support ticket to get the uberAgent apps installed. The cloud vetting team will then review the apps and approve them for Splunk Cloud installation.
The following two apps are required in Splunk Cloud:
Splunk Cloud only accepts data via encrypted protocols. This means that you have the following options for sending uberAgent data to Splunk Cloud:
- via uberAgent's native functionality to send to Splunk's HTTP Event Collector (HEC)
- via a Universal Forwarder installed on the endpoint and configured to communicate with Splunk Cloud
uberAgent generally works well with Splunk Free except for one thing: Splunk bug SPL-40332 breaks not the initial creation but the update of CSV lookup tables. To work around that we had to replace the outputlookup command with action.populate_lookup in a saved search. That, however, is a feature not enabled with Splunk Free.
As a result, uberAgent does not work correctly on Splunk Free until SPL-40332 has been fixed in a future version of Splunk.
However, using this workaround the lookup table can be generated manually.
Splunk Light has a very limited feature set that does not even include the installation of apps (see Splunk Light vs. Splunk Enterprise). Due to these limitations uberAgent cannot work with Splunk Light.