All Apps and Add-ons

Where do you recommend installing the Cisco eStreamer eNcore Add-on for Splunk in a distributed environment?

ltrotter83
New Member

I have 1 search head, 2 Linux heavy forwarders, 1 indexer, 1 Deployment server, and 3 Windows heavy forwarders.

0 Karma

smallfry
Explorer

I have a question that I thought will be better if I add it here, rather than creating a new one. My questions are as the following:

  • With the eNcore Add-on already installed on a Heavy Forwarder, wouldn't deploying an updated Add-On via a Deployment Server makes the existing "data" directory becomes empty again since it will be overwritten by the copy from the Deployment Server?

  • How can I do so without affecting the existing "data" directory or it doesn't matter since the logs had been ingested?

  • Lastly, what's the impact of the "data" directory becomes empty? Will the logs be downloading in real-time from the FMC or does the Add-on download logs that had been in the FMC for x number of hours (example)?

Thanks everyone in advance.

0 Karma

douglashurd
Builder

you should use the Deployment Server to deploy the eNcore Add-on to heavy forwarder (for the data input/collection), as well as indexer and search head (since the add-on contains field extractions)

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...