The Splunk App for AWS and the AWS TA are running on the Search head. The TA is also installed on the Heavy Forwarder. We are able to run the "listawsinputs" command on the TA on the Heavy Forwarder but it is not running on the TA on the search head. The listawsinputs is required to make the Topology dashboard run on the Splunk App for AWS. What can be done to make the two TAs communicate with each other?
They don't talk to 'each other' - they talk via an index!.
When you run the scheduled search on your configured HF it runs
| listawsinputs | collect 'aws-input-index'
The collect statement tells Splunk to write the results of the list command into a summary index defined by aws-input-index
The App on the SH then queries the same summary index, to work out which inputs you HF has been configured with.
You need to make sure that the summary indexes are created on your indexers - otherwise the HFs won't write it into the correct index, and the SH wont be able to find it.
Distribute the summary index
configurations to the indexer:
Copy $SPLUNK_HOME/etc/apps/splunk_apps_aws/default/indexes.conf
from the search head to a temporary
directory on the indexer and then
merge all the settings in the file
into
$SPLUNK_HOME/etc/apps/search/local/indexes.conf
to incorporate the summary index
configurations.
http://docs.splunk.com/Documentation/AWS/5.1.0/Installation/Installon-prem