Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to install when you have multiple forwarders
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to install when you have multiple forwarders
How to install when you have multiple forwarders? Does it install onto the search head regardless?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are very few reasons to install multiple Splunk instances on a single server/host. Maybe that is not what you mean, though. In every Splunk ecosystem there are always multiple servers/hosts, each with a single Splunk UF installed. You point each UF to send its data to the Indexer tier with outputs.conf and then you point your Search Head to the Indexer tier by adding each Indexer as a Distributed Search Peer. You might be starting out with an All-in-One configuration (maybe even withSplunk Light) and in that case, you point each UF to your All-in-One with outputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Can you add more explanation of what you are trying to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've waited to reply as i'm a NOOB trying to understand Splunk, the App and then the way my company deployed it and making sense of it all. Basically, we have multiple indexers and multiple search heads and it's all magically intertwined. My question was where should the app gets installed..... on the indexer directly, or the search head. Or better yet, how to equally distribute it. We ended up installing it on a single search head, but that doesn't get the data into the larger pool. So now that I think I better understand it all through trial and error, what is the proper way to deploy this app in such an environment? Via a heavy forwarder perhaps? is there a best practices document, or any documentation for that matter on deploying this in large environments?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@5105827, Splunk is deceivingly simple from the outside. It's a very intricate, modular software and you truly need to understand the software and the associated best practices well. Splunk classes and certifications is a great route.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on what your app does, there are multiple places it should go to. Can you tell the purpose of this app? Is it something which you downloaded from splunkbase, if yes what is the name? Or is this something which you created?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
