Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

i am new to the distributed splunk environment. suppose if i want to install a add-on which collects data from the proofpoint where would i intsall it in the heavy forwarder or in the search head

Nadhiya_Dubai
Explorer
‎06-12-2018 02:00 AM

where to install the TAP modular input in the distributed splunk environment . i have 4 heavy forwarders .How will i choose which heavy forwarder is the right place to install

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 10:26 AM

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-17-2018 10:45 PM

when to configure the inputs ?? after pushing to the hf

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-13-2018 12:35 AM

i have a utility server with me where i had to copy the app conf files from splunk search head where my modular input app is installed

0 Karma
Reply
Solved! Jump to solution

ranjitbrhm1
Communicator
‎06-12-2018 11:14 PM

Apps are basically just conf files that you can put on the splunk server and you give splunk service a restart they will start working. So what i would have done in this setup is if you dont have a third party tool like sccm or scripts to push out your apps and you only have 4 HF and 1 SH you point all the HF to your SH first using the following command. 

/opt/splunk/bin/splunk set deploy-poll "your SH IP address":8089

once that is done all you have to do is add the app on to your /opt/splunk/etc/deploymentapps folder and then create a server class and push them off to the HF. that way you can manage your apps better.

Of course i havent done it with your specific app but the concept remains the same. You can test it out with 1 server first and then try pushing it off to other servers

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-12-2018 10:51 PM

so to start with , is it advisable to directly install on the heavy forwarder or to install the app in the utility server . Later push the app to the heavy forwarder ?

0 Karma
Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 10:26 AM

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...