All Apps and Add-ons

Add data into splunk cluster .

email2vamsi
Explorer

I have integrated Search Head cluster with Indexer Cluster. I am able to get search peers data,search members data,forwarders data in the search head by querying index="_internal".
I have a deployment server configured on a different machine. From here i can push apps to clients.
I have the following requirement now :-
On which server (Search peer/Search head/deployment server) should i configure the process of monitoring files on forwarders(ADD Data)?
On the Search peers-> Data inputs-> Forwarded inputs -> Files & Directories ...it is displaying the following message.
"Use this page only in a single-instance Splunk environment."

Tags (1)
0 Karma

jdunlea
Contributor

"Data inputs -> forwarded Inputs - > files and directories" is used when you wish to monitor a LOCAL file/directory on that server and then forward the data from that monitoring to another server (such as an indexer)

In a distributed environment, this feature of the UI is going to provide you little to no value.

On your question as to where to configure the process of monitoring files on forwarders, you should configure "apps" in the deployment server and then deploy these apps to all of your forwarders machines. (Assuming that you have configured your forwarders as clients of the deployment server and to periodically check in with the deployment server to check for new "apps" to download).

There is plenty of documentation on Splunk's website for this.

Here are some helpful links:
About Deployment Server

Deployment Server Architecture

email2vamsi
Explorer

Thank you.
As mention by you,if the ADD DATA step is performed on dedicated deployment server. How will the search head get the data from deployment server to search? How the search peers will contact deployment server and index the data?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...