Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deploy Windows-TA with Clustered Environment

AliMaher
Path Finder
3 weeks ago

Hello Splunker,

I hope you all are doing well.

 

I have tried to deploy the Windows-TA Add-On over my environment [Search Head Cluster + Deployer] [3 Indexer Peer + Indexer Cluster Master] [Deployment Server + Universal Forwarder].

 

I have used the Deployment server to push the inputs.conf to the designated universal forwarder which allocated on the domain controller server and enable the needed.

then remove the wmi.conf and inputs.conf from the Windows TA-Add-On, and copy the rest to local folder and used the deployer to push the enhanced Windows TA to the search heads.

 

As per the below screen from the official doc the indexer is conditional:

Win-TA.png

 

Why should push the Add-on to the indexers even if there are an index time field extraction?

As i am know the search head cluster will replicate all the knowledge bundle with the indexers so all the KOs will be replicated to the indexers and no need to push them, am i correct?

Splunk Add-on for Microsoft Windows 

Thanks in advance!!

Splunk Add-on for Microsoft Windows
Thumbnail of Splunk Add-on for Microsoft Windows
Splunk Add-on for Microsoft Windows
View in Splunkbase
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Generally knowledge bundle contains most of the content from the SH unless you blacklist some parts of it.

Why not just deploy the apps to the indexer then you might ask. Two reasons.

1. Variability of the KOs on the SHs - each time something changes on the SH (including users private objects) you'd have to deploy new apps

2. The same indexer(s) can be search peers for multiple different SH(C)s of which each can have separate set of search-time configs. Possibly conflicting with each other.

So indexer-deployed apps are "active" in index time while objects replicated in a knowledge bundle are active in search time.

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Wait.

I think you're confusing INDEXED_EXTRACTIONS with general index-time operations.

With TA-windows the latters are used (I'm not 100% sure if they aren't only used if you still collect the data "old-style" with sourcetype set to a particular event log).

Also the knowledge bundle is something completely different from the apps deployed on the indexers the normal way. Knowledge bundle is what is used with a search spawned from the search-head layer. Apps installed on the indexers are what is used during indexing.

Reply
Solved! Jump to solution

AliMaher
Path Finder
3 weeks ago

Yes, this is the confusing point.

Did you mean if my search is:

index = main eventtype=authentication

This search will replicate the knowledge bundle which contains the relative Knowledge Object to the search itself not all the Knowledge Object which exists on the search head?

 

Knowledge bundle replication overview - Splunk Documentation

"The process of knowledge bundle replication causes peers, by default, to receive nearly the entire contents of the search head's apps."

Any explanation will be greatly appreciated!

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Generally knowledge bundle contains most of the content from the SH unless you blacklist some parts of it.

Why not just deploy the apps to the indexer then you might ask. Two reasons.

1. Variability of the KOs on the SHs - each time something changes on the SH (including users private objects) you'd have to deploy new apps

2. The same indexer(s) can be search peers for multiple different SH(C)s of which each can have separate set of search-time configs. Possibly conflicting with each other.

So indexer-deployed apps are "active" in index time while objects replicated in a knowledge bundle are active in search time.

Reply
Solved! Jump to solution

AliMaher
Path Finder
3 weeks ago

Thanks for your help!

 

I am still confusing how indexer cluster should be managed, if i want to create any KOs at the search head side,  should i push these KOs to the indexers also?

 

0 Karma
Reply
Solved! Jump to solution

PaulPanther
Builder
3 weeks ago

That the knowledge bundle is replicated to the search peers is correct but for the parsing (e.g. timestamp extraction) during indexing only the configuration from $SPLUNK_HOME/etc/peer-apps is used as a source. So that's the reason why you must deploy the TA on the indexer if it is no HeavyForwarder inbetween.

The knowledge bundle is used during the searching.

https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Howindexingworks

Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...