All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services: Where to install when using search head cluster and universal forwarder?

Explorer

The Splunk Add-on for Microsoft Cloud Services documentation at http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install seems to be stating that you must configure the input on the search head if you are using a Universal Forwarder. Underneath, however, it says if installing on a search head cluster you should configure the input to be on the forwarder.

What are you supposed to do when you are using a search head cluster but the (unsupported) Universal Forwarder?

0 Karma

Path Finder

Once you configure the API items for 0365 piece, it prompts for the o365 admin to login to grant the splunk app access it needs... it then auto-populates the tenant ID automatically after the token/authentication pieces go through.

0 Karma

SplunkTrust
SplunkTrust

it is recommended to use a Heavy Forwarder as this app uses modular inputs

0 Karma

Explorer

I use a universal forwarder and I'm looking for recommendations that don't involve "don't use the universal forwarder" 🙂

It's an existing architecture I really don't want to change to get an add-on installed.

0 Karma

SplunkTrust
SplunkTrust

well then 🙂
here is a solution (i hope), you can install python on the forwarder and configure the modular inputs manually. some answers around it here:
https://answers.splunk.com/answers/150106/can-we-run-the-kafka-modular-input-on-a-forwarder.html
https://answers.splunk.com/answers/96184/python-script-with-universal-forwarder.html
disclaimer: never tested it so i am not sure it will work.
you can also try to set it up on your deployer (not on the SHC members) and then copy the inputs.conf
or copy the entire configured app to the UF and see how it works. you will probably need to reconfigure the redirect-url value
hope it helps

0 Karma

Ultra Champion

Based on the Where to install this add-on section, it seems that it's required only on the Search Heads.

0 Karma

Explorer

I saw that as well. My concern (and correct me if you feel otherwise), is that if I have a search head cluster that installing this would result in the inputs being on every search head in the cluster - and then duplicate data being sent to the indexer.

This is due to the part that states "configure inputs on forwarders to avoid duplicate data collection" under "Search Head Clusters" comments.

0 Karma

Ultra Champion

Ok, so it says for the Search Heads -

-- *Install this add-on to all search heads where Microsoft cloud services knowledge management is required. Splunk recommends that you turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node. *

So, I guess, the documentation says to install the add-on on the search heads and turn visibility off. You see, I don't know where the data comes from... ; -)

0 Karma