I have the SoS TA and *nix TA installed on my search peers. I have also enabled the inputs and deployed the bundle via cluster master (5.0.4 permission issue is now gone). However, I do not see any data from my search peers.
Do I also need to configure outputs.conf so that the search peers send that to the themselves?
Am I missing something else?
Thanks
I found the problem. Documentation.
I was putting the TA directories in $SPLUNK_HOME/etc/master-apps/_cluster
, but they need to be in $SPLUNK_HOME/etc/master-apps
.
I found the problem. Documentation.
I was putting the TA directories in $SPLUNK_HOME/etc/master-apps/_cluster
, but they need to be in $SPLUNK_HOME/etc/master-apps
.
Nothing from ExecProcessor at all.
Do you see log events from ExecProcessor indicating a permissions failure, or perhaps some other error condition?
It sounds like the steps you've taken are correct.