I have integrated Search Head cluster with Indexer Cluster. I am able to get search peers data,search members data,forwarders data in the search head by querying index="_internal".
I have a deployment server configured on a different machine. From here i can push apps to clients.
I have the following requirement now :-
On which server (Search peer/Search head/deployment server) should i configure the process of monitoring files on forwarders(ADD Data)?
On the Search peers-> Data inputs-> Forwarded inputs -> Files & Directories ...it is displaying the following message.
"Use this page only in a single-instance Splunk environment."
"Data inputs -> forwarded Inputs - > files and directories" is used when you wish to monitor a LOCAL file/directory on that server and then forward the data from that monitoring to another server (such as an indexer)
In a distributed environment, this feature of the UI is going to provide you little to no value.
On your question as to where to configure the process of monitoring files on forwarders, you should configure "apps" in the deployment server and then deploy these apps to all of your forwarders machines. (Assuming that you have configured your forwarders as clients of the deployment server and to periodically check in with the deployment server to check for new "apps" to download).
There is plenty of documentation on Splunk's website for this.
Here are some helpful links:
About Deployment Server
Thank you.
As mention by you,if the ADD DATA step is performed on dedicated deployment server. How will the search head get the data from deployment server to search? How the search peers will contact deployment server and index the data?