We are looking to use the Splunk app for Check Point. Installation steps are confusing on Splunk's point of view.
Our Splunk setup is distributed search with 2 search heads and 2 indexers.
I have installed Splunk app for Check Point on the Search head, but now I am confused where to install "splunk-add-on-for-check-point-opsec-lea_3"
Is it only on the Splunk forwarder or on the indexer also?
Add on is installed on almost all components but depends on your installation though. The installation and configuration details are available http://docs.splunk.com/Documentation/OPSEC-LEA