Deployment Architecture

i am new to the distributed splunk environment. suppose if i want to install a add-on which collects data from the proofpoint where would i intsall it in the heavy forwarder or in the search head

Nadhiya_Dubai
Explorer

where to install the TAP modular input in the distributed splunk environment . i have 4 heavy forwarders .How will i choose which heavy forwarder is the right place to install

Tags (1)
0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

View solution in original post

0 Karma

Nadhiya_Dubai
Explorer

when to configure the inputs ?? after pushing to the hf

0 Karma

Nadhiya_Dubai
Explorer

i have a utility server with me where i had to copy the app conf files from splunk search head where my modular input app is installed

0 Karma

ranjitbrhm1
Communicator

Apps are basically just conf files that you can put on the splunk server and you give splunk service a restart they will start working. So what i would have done in this setup is if you dont have a third party tool like sccm or scripts to push out your apps and you only have 4 HF and 1 SH you point all the HF to your SH first using the following command.

/opt/splunk/bin/splunk set deploy-poll "your SH IP address":8089

once that is done all you have to do is add the app on to your /opt/splunk/etc/deploymentapps folder and then create a server class and push them off to the HF. that way you can manage your apps better.

Of course i havent done it with your specific app but the concept remains the same. You can test it out with 1 server first and then try pushing it off to other servers

0 Karma

Nadhiya_Dubai
Explorer

so to start with , is it advisable to directly install on the heavy forwarder or to install the app in the utility server . Later push the app to the heavy forwarder ?

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...