Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

i am new to the distributed splunk environment. suppose if i want to install a add-on which collects data from the proofpoint where would i intsall it in the heavy forwarder or in the search head

Nadhiya_Dubai
Explorer
‎06-12-2018 02:00 AM

where to install the TAP modular input in the distributed splunk environment . i have 4 heavy forwarders .How will i choose which heavy forwarder is the right place to install

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 10:26 AM

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-17-2018 10:45 PM

when to configure the inputs ?? after pushing to the hf

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-13-2018 12:35 AM

i have a utility server with me where i had to copy the app conf files from splunk search head where my modular input app is installed

0 Karma
Reply
Solved! Jump to solution

ranjitbrhm1
Communicator
‎06-12-2018 11:14 PM

Apps are basically just conf files that you can put on the splunk server and you give splunk service a restart they will start working. So what i would have done in this setup is if you dont have a third party tool like sccm or scripts to push out your apps and you only have 4 HF and 1 SH you point all the HF to your SH first using the following command. 

/opt/splunk/bin/splunk set deploy-poll "your SH IP address":8089

once that is done all you have to do is add the app on to your /opt/splunk/etc/deploymentapps folder and then create a server class and push them off to the HF. that way you can manage your apps better.

Of course i havent done it with your specific app but the concept remains the same. You can test it out with 1 server first and then try pushing it off to other servers

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-12-2018 10:51 PM

so to start with , is it advisable to directly install on the heavy forwarder or to install the app in the utility server . Later push the app to the heavy forwarder ?

0 Karma
Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 10:26 AM

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...