All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to install when you have multiple forwarders

5105827
New Member
‎07-13-2018 09:56 AM

How to install when you have multiple forwarders? Does it install onto the search head regardless?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2018 11:01 AM

There are very few reasons to install multiple Splunk instances on a single server/host. Maybe that is not what you mean, though. In every Splunk ecosystem there are always multiple servers/hosts, each with a single Splunk UF installed. You point each UF to send its data to the Indexer tier with outputs.conf and then you point your Search Head to the Indexer tier by adding each Indexer as a Distributed Search Peer. You might be starting out with an All-in-One configuration (maybe even withSplunk Light) and in that case, you point each UF to your All-in-One with outputs.conf.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎07-13-2018 10:32 AM

Hi. Can you add more explanation of what you are trying to do?

0 Karma
Reply

5105827
New Member
‎10-18-2018 09:51 AM

I've waited to reply as i'm a NOOB trying to understand Splunk, the App and then the way my company deployed it and making sense of it all. Basically, we have multiple indexers and multiple search heads and it's all magically intertwined. My question was where should the app gets installed..... on the indexer directly, or the search head. Or better yet, how to equally distribute it. We ended up installing it on a single search head, but that doesn't get the data into the larger pool. So now that I think I better understand it all through trial and error, what is the proper way to deploy this app in such an environment? Via a heavy forwarder perhaps? is there a best practices document, or any documentation for that matter on deploying this in large environments?

0 Karma
Reply

ddrillic
Ultra Champion
‎10-18-2018 01:45 PM

@5105827, Splunk is deceivingly simple from the outside. It's a very intricate, modular software and you truly need to understand the software and the associated best practices well. Splunk classes and certifications is a great route.

0 Karma
Reply

sudosplunk
Motivator
‎10-18-2018 11:29 AM

Depending on what your app does, there are multiple places it should go to. Can you tell the purpose of this app? Is it something which you downloaded from splunkbase, if yes what is the name? Or is this something which you created?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...