Solved: Do NOT run scripted input on splunk components

renems · ‎07-11-2014

I have a setup with clustered indexing, and search head pooling. I have a script that is getting data from a remote service. This script is included in an app, and that app is part of a serverclass that contains the specific linux host the script is intended to run on, the indexer-master, and the searchhead pool master.

You probably get it already: the script now runs on every host: the linux server, all of the cluster members, and all of the searchhead members. Ouch, I don't want the same input 8 times!

Is there any way to have the script only run on the linux server, and still use the deploymentserver? (I do need to add some field extractions, and create the index, so preferrably the serverclass remains unchanged)

martin_mueller · ‎07-11-2014

Forwarders and SHs/Indexers generally should not get the exact same apps if inputs are involved. I'd split up the app in an inputs-part and a other-part. Then the forwarder gets only the inputs-part and the Splunk components won't run the script.

View solution in original post

martin_mueller · ‎07-11-2014

Forwarders and SHs/Indexers generally should not get the exact same apps if inputs are involved. I'd split up the app in an inputs-part and a other-part. Then the forwarder gets only the inputs-part and the Splunk components won't run the script.

Do NOT run scripted input on splunk components

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform