Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

i am new to the distributed splunk environment. suppose if i want to install a add-on which collects data from the proofpoint where would i intsall it in the heavy forwarder or in the search head

Nadhiya_Dubai
Explorer
‎06-12-2018 02:00 AM

where to install the TAP modular input in the distributed splunk environment . i have 4 heavy forwarders .How will i choose which heavy forwarder is the right place to install

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 10:26 AM

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-17-2018 10:45 PM

when to configure the inputs ?? after pushing to the hf

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-13-2018 12:35 AM

i have a utility server with me where i had to copy the app conf files from splunk search head where my modular input app is installed

0 Karma
Reply
Solved! Jump to solution

ranjitbrhm1
Communicator
‎06-12-2018 11:14 PM

Apps are basically just conf files that you can put on the splunk server and you give splunk service a restart they will start working. So what i would have done in this setup is if you dont have a third party tool like sccm or scripts to push out your apps and you only have 4 HF and 1 SH you point all the HF to your SH first using the following command. 

/opt/splunk/bin/splunk set deploy-poll "your SH IP address":8089

once that is done all you have to do is add the app on to your /opt/splunk/etc/deploymentapps folder and then create a server class and push them off to the HF. that way you can manage your apps better.

Of course i havent done it with your specific app but the concept remains the same. You can test it out with 1 server first and then try pushing it off to other servers

0 Karma
Reply
Solved! Jump to solution

Nadhiya_Dubai
Explorer
‎06-12-2018 10:51 PM

so to start with , is it advisable to directly install on the heavy forwarder or to install the app in the utility server . Later push the app to the heavy forwarder ?

0 Karma
Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-12-2018 10:26 AM

The best practice would be to run it on a heavy forwarder. Generally, you don't want to use Search Heads for data collection.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top