https://community.splunk.com/t5/Getting-Data-In/Indexer-Tuning-Best-Practices-How-to-decide-which-apps-or-add/m-p/273796#M52508 <P>I want to clean up the indexers and remove unnecessary Apps that could be using up unnecessary CPU and memory. I have three indexers and they all have a different set of apps on each of the three indexers. I am on Splunk version 6.2.3</P> <P>How can I tell if an app is needed on the indexer?<BR /> For instance the Windows app is on only one indexer.<BR /> Do I need this on all three or none?<BR /> I also have S.o.S - Splunk on Splunk on all three indexers, one has the TA-splunk and the Splunk app/add-on for *nix.<BR /> Are all three TA-s needed? Don't they all run scripted inputs?<BR /> Is there some where or some one that has addressed indexer tuning best practices?</P> Mon, 04 Apr 2016 13:14:59 GMT hartfoml 2016-04-04T13:14:59Z https://community.splunk.com/t5/Getting-Data-In/Indexer-Tuning-Best-Practices-How-to-decide-which-apps-or-add/m-p/273796#M52508 <P>I want to clean up the indexers and remove unnecessary Apps that could be using up unnecessary CPU and memory. I have three indexers and they all have a different set of apps on each of the three indexers. I am on Splunk version 6.2.3</P> <P>How can I tell if an app is needed on the indexer?<BR /> For instance the Windows app is on only one indexer.<BR /> Do I need this on all three or none?<BR /> I also have S.o.S - Splunk on Splunk on all three indexers, one has the TA-splunk and the Splunk app/add-on for *nix.<BR /> Are all three TA-s needed? Don't they all run scripted inputs?<BR /> Is there some where or some one that has addressed indexer tuning best practices?</P> Mon, 04 Apr 2016 13:14:59 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-Tuning-Best-Practices-How-to-decide-which-apps-or-add/m-p/273796#M52508 hartfoml 2016-04-04T13:14:59Z https://community.splunk.com/t5/Getting-Data-In/Indexer-Tuning-Best-Practices-How-to-decide-which-apps-or-add/m-p/273797#M52509 <P>There are a few things you should do:</P> <P>How can I tell if an app is needed on the indexer?<BR /> - Generally you can find out if the documentation for the app says it has index-time operations. You'll have to examine each app and see if there are any transforms or props stanzas that would apply at index-time.</P> <P>Specifically, the windows app contains entries in props.conf that modify sourcetype, which is an index-time operation. So you'll need it on the indexers. You only need it on the indexers where you're sending the windows logs, which is probably all of them.</P> <P>For the SoS app I'm not sure what the requirements are, but you probably need them all running on all of the indexers to collect information from them.</P> <P>You might consider setting up a "heavy forwarder" layer where all of your apps are installed, and then removing all or most of the apps from the indexers. That way the tasks of index-time operations can all be done on the heavy forwarders instead of the indexers.</P> <P>You might find this useful as well: <A href="http://wiki.splunk.com/Things_I_wish_I_knew_then">http://wiki.splunk.com/Things_I_wish_I_knew_then</A></P> Tue, 05 Apr 2016 04:25:17 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-Tuning-Best-Practices-How-to-decide-which-apps-or-add/m-p/273797#M52509 niemesrw 2016-04-05T04:25:17Z