All Apps and Add-ons

Add data into splunk cluster .


I have integrated Search Head cluster with Indexer Cluster. I am able to get search peers data,search members data,forwarders data in the search head by querying index="_internal".
I have a deployment server configured on a different machine. From here i can push apps to clients.
I have the following requirement now :-
On which server (Search peer/Search head/deployment server) should i configure the process of monitoring files on forwarders(ADD Data)?
On the Search peers-> Data inputs-> Forwarded inputs -> Files & Directories is displaying the following message.
"Use this page only in a single-instance Splunk environment."

Tags (1)
0 Karma


"Data inputs -> forwarded Inputs - > files and directories" is used when you wish to monitor a LOCAL file/directory on that server and then forward the data from that monitoring to another server (such as an indexer)

In a distributed environment, this feature of the UI is going to provide you little to no value.

On your question as to where to configure the process of monitoring files on forwarders, you should configure "apps" in the deployment server and then deploy these apps to all of your forwarders machines. (Assuming that you have configured your forwarders as clients of the deployment server and to periodically check in with the deployment server to check for new "apps" to download).

There is plenty of documentation on Splunk's website for this.

Here are some helpful links:
About Deployment Server

Deployment Server Architecture


Thank you.
As mention by you,if the ADD DATA step is performed on dedicated deployment server. How will the search head get the data from deployment server to search? How the search peers will contact deployment server and index the data?

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...