All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do we need to install the Splunk Add-on for Box on both search heads and indexers, and do Box logs get stored on the heavy forwarder or indexers?

ericlarsen
Path Finder
‎10-28-2015 08:47 AM

Couple questions about the Splunk Add-on for Box. We're setting up a heavy forwarder to collect the data. Do we need to also install the add-on on both the Search Heads and Indexers as well, or just the Search Heads?

I'm also trying to determine how much disk space is needed on the heavy forwarder VM. Do the Box logs get stored on the heavy forwarder or do they get passed directly to the Indexers, without a copy being saved?

Appreciate the help.
Thanks!

0 Karma
Reply

rpille_splunk
Splunk Employee
Splunk Employee
‎10-28-2015 10:02 AM

Hi Eric. The installation instructions in the documentation specify that you should install this add-on to your search heads and your heavy forwarder. There is no need to install it on indexers. http://docs.splunk.com/Documentation/AddOns/latest/Box/Install

As for your second question, no, the Box logs are not stored on the heavy forwarder, but they do get parsed there before they are sent on to your indexers. In general, when you think about scaling your forwarders for your data collection tasks, you are considering throughput, not storage. More here: http://docs.splunk.com/Documentation/Splunk/6.3.0/Deploy/Datapipeline

In this case, the Box API has rate limiting, so you are most likely going to be fine with one heavy forwarder.

0 Karma
Reply

rpille_splunk
Splunk Employee
Splunk Employee
‎10-28-2015 10:17 AM

Also, I am not sure if you are familiar with our Splunk classes, but you might also be interested in checking out the Splunk 6 Administration class. It's an excellent class for getting really familiar with these concepts and applications. There are several prereqs.
Details and upcoming schedule can be found here:
https://inter.viewcentral.com/Events/cust/search_results.aspx?cid=splunk&pid=1&lid=1&tstamp=14460522...

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...