I'm certain this app is not supported in a cluster, you'll want to setup a Heavy forwarder then send the OPSEC data to the Indexers instead.
Hi, thanks for both of your answers. Unfortunately we have not allowed for a Heady forwarder in our Splunk environment so have no option but to configure OPSEC inputs on one of our 4 Indexer servers. I've been unable to find anything in the documentation to determine whether or not this would be supporterted. Can you advise where I may be able to find clarification on this. Sorry I'm new to Splunk. If we can do this I would intend to install the app via the normal Cluster Master -> Indexer deployment and configure OPSEC input on one of the Indexers. I believe I may also need to install the app on the Search Head servers. Any further advice would be greatly appreciated.
If you cannot have a heavy forwarder, then install it on an indexer to ingest the data and install on SH for search time extractions (inputs disabled). The TA needs to live in both places at the same time to perform the various parts of the process.
Keep in mind that since your running the application from 1 indexer the data will be on 1 indexer of your cluster (plus any replication settings you have...).
While you'll want the app deployed to your indexed clusters, thru the normal Cluster Master -> Indexer deployment, the inputs should definitely NOT be enabled/configured there.
You'll want a seperate Heavy Forwarder somewhere in your environment, setup the Opsec app there, and have the HF forward the data to your indexers.
It's definitely a bad idea to install this app directly on an indexer, you will slow things down at best or grind them to a hault at worst.
re: installing on search head, yes, you need to do that, just with inputs disabled.
I was having the same problem. We do have a heavy forwarder, however, when the documentation is not very clear on how to setup the HF setup. When I configure as I would on an Indexer and just add an outputs.conf it is not working.
Your heavy forwarder needs to forward data to the indexer cluster, it would be best practice that your search heads are already forwarding this data so you can re-use that same configuration.
If not create an outputs.conf to send data to the indexer cluster.
After that , the application should be straightforward to setup...