Re: Ask For the Best Practice: Deploy Splunk_TA_fo...

AliMaher · ‎11-11-2024

Hello Esteemed Splunkers,

I have a long question, and I wish to have a long and detailed discussion ^-^

First of all:

We have a distributed environment:

Deployer with 3x search heads.

indexer master with 3x indexer.

Deployment server with 2x heavy forwarder.

and we want to deploy "Splunk_TA_fortinet_fortigate" the below is the content:

the question is:

should we deploy this app from the deployer to all search heads?
should we deploy this app from the Indexer Master to all indexers?
should we deploy this app from the deployment server to all heavy forwarders?
should we change the name of the default folder to local?

In a nutshell, what should we do and the consideration should we look at?

Thanks in advance!

PickleRick · ‎11-11-2024

The answer is "it depends". Let's start from the end.

You should _not_ rename the default directory. If you want tp override any default settings you create a new directory called local and place config items there. For more info about config file precedence see here https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles

For the first three questions the answer is "it depends". It depends on whether the add-on contains search-time definitions (then you deploy it on SH-tier) and whether it contains index-time definitions (then you deploy it in your indexing pipeline - where exactly it depends on your ingestion process).

Ask For the Best Practice: Deploy Splunk_TA_fortinet_fortigate

deployer

heavy forwarder

indexer clustering

search head clustering

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk