Had few questions regarding this app, can anyone please help?
In a distributed envt, I have installed this app on the forwarder. The index exists on the indexer and I'm able to see the data in the index on the search head when I search for
index=qualys, but the lookup file qualys_kb lies on the forwarder, so I'm unable to see the lookup data on the search head. What to do in this case??
Should we install the app on both Forwarder and Search head in this case?
But i think it'll duplicate the indexed events, correct me if I'm wrong.
And in case ans to above is true, then how do I disable the script for detection on the search head and only enable the kb populator script? Only enabling the kb populator script under Data inputs-> Scripts in search head isn't updating the lookup file on the search head.
Any pointers to the same are welcome.
TA should be installed on the forwarder and each of the search heads.
While all data inputs ( WAS, VM, KB ) should be enabled in TA on forwarder, only kb input should be enabled on search head.
Data for enabled inputs shall be forwarder to indexer and VM App and WAS app be installed on Search heads for reporting purposes. TA be installed on SH with only kb input enabled. disable vm and was in TA on search head.
This answers your point 1 and 2.
Regarding point 3 , the new version of TA has the intelligence to check where is the TA running on ? on SH or forwarder. Accordingly, the detection script shall run to populate data into Splunk.
Hope this clarifies your questions. If you need more assistance, feel free to reply back.