Situation.

Search Cluster - 9.2.2

5 nodes running Enterprise Security version 7.3.2

I'm in the process of adding 5 new nodes to the cluster. Part of my localization involves creating /opt/splunk/etc/system/local/inputs.conf with the following contents. ( the reason I do this is to make sure the host field for forwarded internal logs doesn't contain the FQDN like hostname in server.conf

[default]
host = <name of this host>

When I get to the step where I run:
splunk add cluster-member -current_member_uri https://current_member_name:8089

It works, but /opt/splunk/etc/system/local/inputs.conf is replicated from the current_member_name

And, if I run something like: splunk set default-hostname <name of this host> ... it modifies inputs.conf on EVERY node of the cluster.

Diving into this I believe this is happening because of the Domain Add-On DA-ESS-ThreatIntelligence which contains a server.conf file in it's default directory. (why this would be, I've no idea)
contents of /opt/splunk/etc/shcluster/apps/DA-ESS-ThreatIntelligence/default/server.conf on our Cluster Deployer - which is now delivered to all cluster members.

[shclustering]
conf_replication_include.inputs = true

It seems to me that it's this stanza that is causing the issue.

Am I on the right track? And why would DA-ESS-ThreatIntelligence be delivered with this particular config?

Thank you.