Re: Do you need to install the Palo Alto add-on on...

Glasses · ‎04-16-2020

Do you need to install the add-on on the indexers?
If the Heavy Forwarder has a tcp listener port for Palo logs then do you also need to install the TA add-on on the indexers?
We were planning on installing the app on the Search Head and add-on on HF only. Will that work?
What are the specific advantages installing the TA add-on and APP on the Search Head? Is that setup only for certain Palo products and services?
Thank you!

deejeta · ‎05-11-2020

I too am confused as well.
Palo Alto say in the documentation (https://splunk.paloaltonetworks.com/installation.html) that the only the app should be on the search heads.

Important changes
**Previous* guidance was to install the App and Add-on to all Search Heads, Indexers, and Heavy Forwarders. However, this can result in duplicate storage of accelerated datamodels. Now, it is recommended to install the App only on Search Heads per the table above. If you have installed the App on Indexers or Heavy Forwarders, please delete the App so only the Add-on remains on those nodes.
Earlier versions of the App would install the Add-on automatically. This is no longer allowed by Splunk so since App 5.4.2 you are required to install the App and Add-on individually.
Data Model acceleration is no longer enabled by default. Dashboards will not display any data until the data model is accelerated.*

Yet the addon has all the lookup files?

tauliang · ‎04-16-2020

Having separate clusters of forwarders, indexers and search heads makes it easier to scale up for more data load. However, there is never a hard and fast rule saying that it has to be done in certain way(s). On the other end of the spectrum when the data load is light, all these three can be cobbled together on a single host.

That said, from your description in the question, your deployment already has an indexer (maybe cluster), it will be better for scalability and availability to have the TA installed there, so that data could be properly parsed and indexed there and get the search heads to send the queries to the indexers. This way, the load on different parts of the deployment is more balanced.

Of course you can always go for the alternative, having the HF to send everything to the search head where all data is indexed and used for searches. That way, the search head could potentially get overwhelmed.

You can refer to the validated architectures and decide what is best for your deployment.
https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf

tauliang · ‎04-16-2020

According to Palo Alto 's documentation, not having add-ons on Search Heads would prevent access to advance features from working. That would probably be a reason most people still want the add-ons deployed there as well.

Some organizations prefer not to
install Add-ons on Search Heads. This
is fine for log ingest, but will
prevent some advanced features from
functioning, such as Adaptive Response
and Threat Intelligence.

https://splunk.paloaltonetworks.com/installation.html

tauliang · ‎04-18-2020

No I don't work for Palo Alto. What exactly are you trying to achieve?

Glasses · ‎04-16-2020

thanks for the reply but that does not make sense, I never index on a SH...
My indexes are not clustered at the moment, but some TAs require installation on the Indexer... are you from Palo?

Glasses · ‎05-12-2020

So as an update, I have hundreds of useless field extractions now that seem to be coming from the URL and trailing pages (which have = contained in them). Also I lost a valuable field "src", after I disabled the app and ta on the search head the src field returned... and of course Splunk support won'ts help with a "Palo" app and Palo has not replied to my request for support... grrrrrrrrreat!

Do you need to install the Palo Alto add-on on Indexers?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!