All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to integrate Mcafee ePO in a distributed environment with Splunk DB Connect and the Splunk Add-on for McAfee?

sassens1
Path Finder
‎11-17-2016 05:15 AM

Hi,

I'm planning to install McAfee + Splunk DB Connect on several heavy forwarders (4) using the Deployment Server.
The fact is, I don't know what will happen if all the TAs start collecting at the same time. Will it end up with duplicate or more entries for the same event!? not cool...

Can I really use this TA in a distributed environment or must I choose a specific forwarder and do a "manual" fail over in case of failure (eg: enable/disable DB Connect ePO config)? (same behavior with opsec-lea add on)

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2016 05:54 AM

Having more than one TA reading from the same database using the same query will result in duplicate data. Use a single HF for that and have the input disabled on a second HF as a cold standby.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...