All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Where shoulld I install Azure Monitor Add-on For Splunk? (Heavy forwarder/indexer/Search head)?

Koko12345678
Explorer
‎07-22-2018 08:36 AM

HI ,

I would like to know where should I install the Azure Monitor Add-on For Splunk? on which of this component? Heavy forwarder, indexer , Search head?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-22-2018 11:14 AM

Hello there,

ideally on the Heavy Forwarder, if not in the Search Head.
Avoid installing on indexer (unless its all in one)

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-22-2018 11:14 AM

Hello there,

ideally on the Heavy Forwarder, if not in the Search Head.
Avoid installing on indexer (unless its all in one)

hope it helps

0 Karma
Reply
Solved! Jump to solution

Koko12345678
Explorer
‎07-22-2018 01:09 PM

thanks 🙂
can you please explain why it's Ideally to install it on the HF ? and why to avoid installing it on the Indexer? and what do you mean by "unless its all in one"?

thank you

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎07-22-2018 08:46 AM

Hi,

Better to install on HF.

Because INDEXER IS BUSY IN indexing data.
Search head is busy in searching.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Koko12345678
Explorer
‎07-22-2018 08:53 AM

as far as I know HF is busy in parsing the data,then I'm just asking myself why HF is the better place?
in addition, where Should I configure the Inputs( input for Activity Logs/Diagnostics Logs) in splunk? is it in the search head?

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎07-22-2018 10:35 AM

Its fully dependent on your environment.

In my case we have search heads loaded with so many scheduled searches so I could not allocate even 1 cpu for modular/scripted inputs and we have Indexers are busy in responding to searches and indexing data. Thats y I recommend to have modular inputs on HF.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Koko12345678
Explorer
‎07-22-2018 10:38 AM

ok thanks 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...