When will the Qualys App for Splunk Enterprise be compatible with search head clustering? We're currently running the app on a standalone search head and would like it integrated with our SHC. If there's any steps to get this working on a SHC, that'd be fantastic.
Knowledgebase dashboard is based on a lookup, lookup located on indexers, not on SHC, so we put a input monitor on the lookuphave and scheduled a basic search :
index=qualys | table * | outputlookup qualys kb.csv
Now all is working as expected
For all intents and purposes, it can be provided you don't configure any of the data pulling. You need to configure the app on a standalone server to do the data pull to populate the index and run the app on the SHC only to query the index.
So does this mean that if you do it this way, the dashboards won't populate? I ask because I'm looking at installing this on an indexer (to avoid filling up a search head with data that the app pulls down), but I also want to install the app on the search heads for viewing the data.
I have a similar issue. I am getting data from Qualys App from Splunk,created custom app and most of the dashboards are giving "empty csv error" on various indexers in random. Most of the searches/dashboards are giving consistent results. By the way, I have a distributed environment; not SHC.