The Splunk Add-on for Microsoft Cloud Services documentation at http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install seems to be stating that you must configure the input on the search head if you are using a Universal Forwarder. Underneath, however, it says if installing on a search head cluster you should configure the input to be on the forwarder.
What are you supposed to do when you are using a search head cluster but the (unsupported) Universal Forwarder?
Once you configure the API items for 0365 piece, it prompts for the o365 admin to login to grant the splunk app access it needs... it then auto-populates the tenant ID automatically after the token/authentication pieces go through.
I use a universal forwarder and I'm looking for recommendations that don't involve "don't use the universal forwarder" 🙂
It's an existing architecture I really don't want to change to get an add-on installed.
well then 🙂
here is a solution (i hope), you can install python on the forwarder and configure the modular inputs manually. some answers around it here:
disclaimer: never tested it so i am not sure it will work.
you can also try to set it up on your deployer (not on the SHC members) and then copy the inputs.conf
or copy the entire configured app to the UF and see how it works. you will probably need to reconfigure the redirect-url value
hope it helps
I saw that as well. My concern (and correct me if you feel otherwise), is that if I have a search head cluster that installing this would result in the inputs being on every search head in the cluster - and then duplicate data being sent to the indexer.
This is due to the part that states "configure inputs on forwarders to avoid duplicate data collection" under "Search Head Clusters" comments.
Ok, so it says for the Search Heads -
-- *Install this add-on to all search heads where Microsoft cloud services knowledge management is required. Splunk recommends that you turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node. *
So, I guess, the documentation says to install the add-on on the search heads and turn visibility off. You see, I don't know where the data comes from... ; -)