Dear 'Proofpoint Splunk Integrators', developers of the Proofpoint - ET Splunk TA.
I've been working with Splunk Cloud Support to try to get this TA working for our Security team.
Scripted inputs are not currently allowed on Splunk Cloud Search Heads.
This TA uses scripted inputs to populate the ET lookups directly. Search Heads are where the lookups are needed.
When scripted inputs are not allowed, the initial view of the app does not prompt users for access code (for good reason).
When populating lookups on a heavy forwarder, there is no clear / easy path to getting the lookups (or the ET data) available on the Search Head.
Splunk Support has encouraged me to give feedback / make requests:
* at minimum, provide documentation to acknowledge this challenge and perhaps some guidance on how to work around it.
* update to include a built-in mechanism to allow people in this scenario to get the ET data from a heavy forwarder to a search head.
I'm the product manager for the Splunk TA at Proofpoint. This will require an enhancement of the TA. I'm going to put it into an internal enhancement request for consideration of our next update of the app.