All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to integrate Mcafee ePO in a distributed environment with Splunk DB Connect and the Splunk Add-on for McAfee?

sassens1
Path Finder
‎11-17-2016 05:15 AM

Hi,

I'm planning to install McAfee + Splunk DB Connect on several heavy forwarders (4) using the Deployment Server.
The fact is, I don't know what will happen if all the TAs start collecting at the same time. Will it end up with duplicate or more entries for the same event!? not cool...

Can I really use this TA in a distributed environment or must I choose a specific forwarder and do a "manual" fail over in case of failure (eg: enable/disable DB Connect ePO config)? (same behavior with opsec-lea add on)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2016 05:54 AM

Having more than one TA reading from the same database using the same query will result in duplicate data. Use a single HF for that and have the input disabled on a second HF as a cold standby.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...