Deployment Architecture

Ask For the Best Practice: Deploy Splunk_TA_fortinet_fortigate

AliMaher
Path Finder

Hello Esteemed Splunkers,

I have a long question, and I wish to have a long and detailed discussion ^-^ 

First of all:

                   We have a distributed environment:

                   Deployer with 3x search heads.

                   indexer master with 3x indexer.

                  Deployment server with 2x heavy forwarder.

and we want to deploy "Splunk_TA_fortinet_fortigate" the below is the content:

2024-11-12_021455.png

the question is:

should we deploy this app from the deployer to all search heads?
should we deploy this app from the Indexer Master to all indexers?
should we deploy this app from the deployment server to all heavy forwarders?
should we change the name of the default folder to local?

In a nutshell, what should we do and the consideration should we look at?

 

Thanks in advance!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The answer is "it depends". Let's start from the end.

You should _not_ rename the default directory. If you want tp override any default settings you create a new directory called local and place config items there. For more info about config file precedence see here https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles

For the first three questions the answer is "it depends". It depends on whether the add-on contains search-time definitions (then you deploy it on SH-tier) and whether it contains index-time definitions (then you deploy it in your indexing pipeline - where exactly it depends on your ingestion process).

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...