Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

The Add-Ons

mohsplunking
Path Finder
‎01-07-2024 03:58 PM

Hello Splunkers,

I have an Architecture related question if someone can help with it please.

My Architecture is like , Log Source(Linux Server)> Heavy Forwarder>Indexer 

Lets say I'm on-boarding a New log source, When I'm installing an UF on my Linux server , it connects back to my Deployment Server and get the APP(Linux TA) and the output.conf APP which is basically my Heavy Forwarder details. Now my question is Do I need to have the same Linux_TA installed on my Heavy Forwarder And Indexer too ? Or as long as this TA is on Log source, it is sufficient.

Hope I have explained well.

Thanks for looking into this and I greatly appreciate your input.

regards,

Moh. 

 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 01:24 AM

Adding to what @gcusello and @richgalloway already said, if it's a standard Splunk-supported app (I suppose by TA_Linux you mean the TA_nix but I can't be 100% sure), it will have its own docs page saying on which components it should/can be installed.

If it's a third-party supplied independently written app it might have such doc page as well.

Generally speaking, Splunk apps contain settings which can be active on various components (either in search-time or in index-time) but if an app is properly written (and as far as I remember, there are checks which make sure that you can upload to Splunkbase a badly written app; at least badly written in this context), you can typically deploy your app on all tiers and each tier will only "use" the part of the app which applies to said tier.

So your app may contain:

1) Input/output definitions - in an Splunkbase-supplied app they will be set as disabled by default; you have to explicitly enable them so if you just deploy an app with disabled inputs, they won't do anything anywhere. Of course if you're deploying your own custom app with enabled inputs or ouptuts they will try to do their job whenever they are deployed

2) Index-time props/transforms settings - they will be active either on the initial forwarder (if applicable - like EVENT_BREAKER settings) or on the first "heavy" (based on full Splunk Enterprise installation) component in event's path (except ingest-actions; they will be performed after the initial parsing as well but that's a story for another day ;-)). Splunk will happily ignore them in search-time

3) search-time props/transforms settings - they will be active only on search-heads. You can safely deploy them to components active during ingestion phase (HFs and indexers) and they will simply be ignored in ingestion pipeline

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-07-2024 11:25 PM

Hi @mohsplunking ,

as @richgalloway said, you should install the Add-On also on the HF because the parsing is done on it.

The installation on the Indexer depends on your architecture:

  • if you have also one or more Search Heads, you don't need to install the Add-On on the Indexers, but your must install it on the SHs.
  • If instead your Indexer is a Stand Alone server (in other words it's an Indexer and a Search Head), you have to install the Add-On on the Indexer.

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2024 05:00 PM

It depends on the results you want.  If you expect the TA to extract fields for you then it must be installed on the HF.  If you don't care about field extractions then just install the TA on the UF.

Either way, the TA does not need to be installed on the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...