Deployment Architecture

Deploy Windows-TA with Clustered Environment

AliMaher
Path Finder

Hello Splunker,

I hope you all are doing well.

 

I have tried to deploy the Windows-TA Add-On over my environment [Search Head Cluster + Deployer] [3 Indexer Peer + Indexer Cluster Master] [Deployment Server + Universal Forwarder].

 

I have used the Deployment server to push the inputs.conf to the designated universal forwarder which allocated on the domain controller server and enable the needed.

then remove the wmi.conf and inputs.conf from the Windows TA-Add-On, and copy the rest to local folder and used the deployer to push the enhanced Windows TA to the search heads.

 

As per the below screen from the official doc the indexer is conditional:

Win-TA.png

 

Why should push the Add-on to the indexers even if there are an index time field extraction?

As i am know the search head cluster will replicate all the knowledge bundle with the indexers so all the KOs will be replicated to the indexers and no need to push them, am i correct?

Splunk Add-on for Microsoft Windows 

Thanks in advance!!

0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Generally knowledge bundle contains most of the content from the SH unless you blacklist some parts of it.

Why not just deploy the apps to the indexer then you might ask. Two reasons.

1. Variability of the KOs on the SHs - each time something changes on the SH (including users private objects) you'd have to deploy new apps

2. The same indexer(s) can be search peers for multiple different SH(C)s of which each can have separate set of search-time configs. Possibly conflicting with each other.

So indexer-deployed apps are "active" in index time while objects replicated in a knowledge bundle are active in search time.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Wait.

I think you're confusing INDEXED_EXTRACTIONS with general index-time operations.

With TA-windows the latters are used (I'm not 100% sure if they aren't only used if you still collect the data "old-style" with sourcetype set to a particular event log).

Also the knowledge bundle is something completely different from the apps deployed on the indexers the normal way. Knowledge bundle is what is used with a search spawned from the search-head layer. Apps installed on the indexers are what is used during indexing.

AliMaher
Path Finder

Yes, this is the confusing point.

Did you mean if my search is:

index = main eventtype=authentication

This search will replicate the knowledge bundle which contains the relative Knowledge Object to the search itself not all the Knowledge Object which exists on the search head?

 

Knowledge bundle replication overview - Splunk Documentation

"The process of knowledge bundle replication causes peers, by default, to receive nearly the entire contents of the search head's apps."

Any explanation will be greatly appreciated!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Generally knowledge bundle contains most of the content from the SH unless you blacklist some parts of it.

Why not just deploy the apps to the indexer then you might ask. Two reasons.

1. Variability of the KOs on the SHs - each time something changes on the SH (including users private objects) you'd have to deploy new apps

2. The same indexer(s) can be search peers for multiple different SH(C)s of which each can have separate set of search-time configs. Possibly conflicting with each other.

So indexer-deployed apps are "active" in index time while objects replicated in a knowledge bundle are active in search time.

AliMaher
Path Finder

Thanks for your help!

 

I am still confusing how indexer cluster should be managed, if i want to create any KOs at the search head side,  should i push these KOs to the indexers also?

 

0 Karma

PaulPanther
Motivator

That the knowledge bundle is replicated to the search peers is correct but for the parsing (e.g. timestamp extraction) during indexing only the configuration from $SPLUNK_HOME/etc/peer-apps is used as a source. So that's the reason why you must deploy the TA on the indexer if it is no HeavyForwarder inbetween.

The knowledge bundle is used during the searching.

https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Howindexingworks

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...