All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where to install Splunkgit in a distributed environment?

j4adam
Communicator
‎11-09-2016 09:19 AM

I can't find any documentation regarding the best deployment scheme for this. Looking at the configs I'm thinking:

  • Install it on a Heavy Forwarder and configure that to have the hooks into the repos
  • Install it on Indexers (or at least the indexes.conf file) so the data gets indexed. I don't see any index time opertations.
  • Install it on Search Heads in order to make use of the views, etc

Any thoughts? Am I correct in my assessment?

Side note: The Splunkgit tag is not recognized in the "tag" search on the sidebar.

0 Karma
Reply

jagadeeshm
Contributor
‎11-10-2016 05:35 AM

You seem to be on the right track. But you still need to know couple of things -

  1. If you are planning to use Heavy Forwarder for your input, it should already be configured to send all data to the indexers. And yes, you need to remove the indexes.conf file from the Heavy Forwarder.
  2. If the App provides in-built dashboards/panels, you may want to install it on the Search Head to use their UI. But when you install it on Search Head, it is recommended to eliminate some of the files like - inputs.conf, indexes.conf etc. Please see here for details instructions - http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
  3. Your are right! Index time operations are not always required to index data.
0 Karma
Reply

j4adam
Communicator
‎11-10-2016 09:28 AM

Would I actually need to remove the indexes.conf file from from the heavy forwarder? I have indexing globally disabled. AFAIK leaving it there would serve no purpose, but would also cause no harm.

0 Karma
Reply

jagadeeshm
Contributor
‎11-10-2016 09:55 AM

Well there are 2 things -

1 - If you enabled ALL data forwarding from HF to Indexers, you don't have to worry about having the indexes.conf on HF. On the other hand if the forwarding is not enabled, you would end up indexing data in HF (which you probably don't want)

2 - If the App has a UI for defining the inputs, and if you are planning to use it, you may need the indexes.conf.

Hope that helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...