How to install when you have multiple forwarders? Does it install onto the search head regardless?
There are very few reasons to install multiple Splunk instances on a single server/host. Maybe that is not what you mean, though. In every Splunk ecosystem there are always multiple servers/hosts, each with a single Splunk UF installed. You point each UF to send its data to the Indexer tier with outputs.conf and then you point your Search Head to the Indexer tier by adding each Indexer as a Distributed Search Peer
. You might be starting out with an All-in-One
configuration (maybe even withSplunk Light
) and in that case, you point each UF to your All-in-One
with outputs.conf.
Hi. Can you add more explanation of what you are trying to do?
I've waited to reply as i'm a NOOB trying to understand Splunk, the App and then the way my company deployed it and making sense of it all. Basically, we have multiple indexers and multiple search heads and it's all magically intertwined. My question was where should the app gets installed..... on the indexer directly, or the search head. Or better yet, how to equally distribute it. We ended up installing it on a single search head, but that doesn't get the data into the larger pool. So now that I think I better understand it all through trial and error, what is the proper way to deploy this app in such an environment? Via a heavy forwarder perhaps? is there a best practices document, or any documentation for that matter on deploying this in large environments?
@5105827, Splunk is deceivingly simple from the outside. It's a very intricate, modular software and you truly need to understand the software and the associated best practices well. Splunk classes and certifications is a great route.
Depending on what your app does, there are multiple places it should go to. Can you tell the purpose of this app? Is it something which you downloaded from splunkbase, if yes what is the name? Or is this something which you created?