Hello guys,
I am currently banging my head on the wall trying to understand and deploy the "Cisco Catalyst Enhanced Netflow Add-on for Splunk" in a distributed environment. Firstly, why does it say to install EVERYTHING (Splunk Stream App, Splunk Stream Forwarder and Splunk Wire Data) on the Heavy Forwarder, while the blog of Netflow for Splunk says to have: Stream App and Wire Data Add-on on Search Head, Wire Data Add-on on Indexer and use Independent Stream Forwarders to collect netflow and send via HEC to the Indexer (this is what I understood, and it makes total sense). What architecture should I follow? Cisco or Splunk? (The first I couldn't make it work)
 The approach of centralizing everything in the Heavy Forwarder is not working for me, I get stuck in this screen:

and even with all the troubleshooting tips from other posts: change hostname in local system file, change hostname in default system file, execute the set_permissions script, and many others, I can't install Stream App on the Heavy Forwarder. Even using three different LLMs I couldn't get this solved. Tried ignoring and hitting "Let's get started" but no stream forwarders register to the Stream App in the "matched forwarders".
I could only get to work the Search+Indexer+ISF way of Splunk blog, but then should I install the Cisco Catalyst Enhanced Netflow Add-on on the search head? Because it should automatically create a netflow stream for cisco devices.
Last question: where is the netflow even used? Couple Cisco Lives say to create an index for the APIs and syslog, and create another index for netflow, but it only says to point in the search macro "cisco_catalyst_app_index" a single index (the APIs and syslog one). So where it even uses the netflow at all?