All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where do you recommend installing the Cisco eStreamer eNcore Add-on for Splunk in a distributed environment?

ltrotter83
New Member
‎10-06-2017 06:48 AM

I have 1 search head, 2 Linux heavy forwarders, 1 indexer, 1 Deployment server, and 3 Windows heavy forwarders.

0 Karma
Reply

smallfry
Explorer
‎01-12-2020 08:04 PM

I have a question that I thought will be better if I add it here, rather than creating a new one. My questions are as the following:

  • With the eNcore Add-on already installed on a Heavy Forwarder, wouldn't deploying an updated Add-On via a Deployment Server makes the existing "data" directory becomes empty again since it will be overwritten by the copy from the Deployment Server?

  • How can I do so without affecting the existing "data" directory or it doesn't matter since the logs had been ingested?

  • Lastly, what's the impact of the "data" directory becomes empty? Will the logs be downloading in real-time from the FMC or does the Add-on download logs that had been in the FMC for x number of hours (example)?

Thanks everyone in advance.

0 Karma
Reply

douglashurd
Builder
‎10-12-2017 02:10 PM

you should use the Deployment Server to deploy the eNcore Add-on to heavy forwarder (for the data input/collection), as well as indexer and search head (since the add-on contains field extractions)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...