We've got a 3 indexer - 3 search head setup on 6.2.4 using indexer clustering, search head clustering, and a deployer to configure search heads.
I've got a scripted input that reaches out for data via 3rd party api and then returns that data to be indexed.
My question is where should this go? If I deploy it via deployer on the search heads, each search head indexes the data locally in it's main index. If I put it on the indexer it doesn't appear to run and doesn't put any data into an index.
I'm a tech writer here at Splunk and I'd like to help with your question. I'm looking into this with other writers and our engineering team. I'll post an update when I find out more!
Feel free to post further questions or details here in the meantime.
Hi again, @dturner83,
Can you let me know if you are using a search head cluster? This will help us get you more specific advice.
Yes we do use search head clustering by utilizing the deployer and clustering
Ok, thanks! I'll pass this along and report back with some advice ASAP!
frobinson - Thank you for your help and input. I have to say your response times on answers.splunk.com put our Enterprise support agreement support times to shame.
It's a great community! But we will never be able to take on some of the questions that Support has to tackle - I am not on the Support team. BTW, a lot of Support folks are also top contributors on answers.splunk.com - so they are helping keep the response times low here, too!
I expect that it's really a matter of what you are willing to commit to, in writing.
I would never recommend putting script which collect data on any cluster member search or indexer. Instead I would recommend setting up a Universal or Heavy Forwarder for all third-party API or inputs from a remote machine. This will prevent accidentally index data multiple times. At this point you could use the Deployment Server.
True if you are going to have Splunk run the script. Of course it would be best to have a separate server to collect all the 3rd party or API inputs, using a forwarder. That's optimal, but requires yet another server. I hadn't thought of using the server that is running Deployment Server for this purpose, that's an interesting idea. Of course, I would probably have the Deployment Server, the Deployer and the License Master already running on that server...
bmacias84 thank you very much. This seems to be the exact strategy as of 6.2 for scripted inputs.