All Apps and Add-ons

Where do I install the SNMP Modular Input in a search head clustering environment?

chanmic
New Member

Hi all,

We have a distributed Splunk environment where we have clustered search heads, indexes, heavy forwarders, and universal forwarders. I would like to know where would I need to install the SNMP Modular Input to allow me to configure querying of MIB data.

Thanks in advance.
MC

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

The UF and/or HF (whichever is supposed to collect the input) need to know what to deal with, so they need the TA/app. After you have defined inputs on them and they have forwarded the data to an index, there is nothing much the app can do for you in the sense of predefined dashboards/views, so you don't need to have it on your search heads.

View solution in original post

jeffland
SplunkTrust
SplunkTrust

The UF and/or HF (whichever is supposed to collect the input) need to know what to deal with, so they need the TA/app. After you have defined inputs on them and they have forwarded the data to an index, there is nothing much the app can do for you in the sense of predefined dashboards/views, so you don't need to have it on your search heads.

athorat
Communicator

We have a similar environment
where We have one search head, 3 indexers , 4 heavy forwarders and 90+ universal forwarders.
We have this app running on a stand alone environment but now have to install in a clustered environment
so as you suggested it should be on the heavy forwarders?
how about the installation process? because I have installed in the stand alone box using the Splunk UI.

one of the documentation :To install , you simply just untar it to SPLUNK_HOME/etc/apps and restart Splunk.
But how about the UI for this app? will it be available from the Heavy forwarder on which we install the app?

Thanks.

0 Karma

jeffland
SplunkTrust
SplunkTrust

You could comfortably install it via Forwarder Deployment (which I'm guessing you're already using based on the number of forwarders you have). Whether it needs to go on the HFs and/or UFs depends on which of those forwarders are supposed to gather the data - both can do it.
There is no real UI in this TA (hence the name: modular input/technical addon, not app), only the UI based settings for the input. This is accessible through your deployment server once you have the forwarder deployment set up properly.

0 Karma

athorat
Communicator

When I see the Blue Print of the architecture I see the Deployment server marked on one of the heavy forwarders.
I havent used deployment server to deploy apps yet . So can I just untar the file in /etc/apps/SNMP
and from the same server from Settings>> Data Inputs I can access the UI Based settings for the input?

0 Karma

jeffland
SplunkTrust
SplunkTrust

If you don't use forwarder management, you won't be able to use the UI to set up the input. My guess is you're using some other software to distribute configuration to your 90+ forwarders, you definitely shouldn't be doing that by hand. You'll have to use that software in whichever way it works to distribute the TA to your forwarders, but I can't tell you how that works precisely. At the end of the day, you need to have the TA and an appropriate input on the forwarder. What you could do is deploy the TA on a standalone splunk, set up the input and copy the resulting settings to the forwarders with your software.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...