Getting Data In

Is it possible to use Paessler PRTG Modular input with indexer cluster?

max8006
Explorer

Hi,

I have a question if there is a possibility to use the APP Paessler PRTG Modular Input in a distributed indexer scenario. I can install the app on the SH, but how do I create the reference to the indexer cluster. I can only select the local index on the SH. Does that work with a heavy forwarder maybe? 

Thanks,

max

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

By definition, the HF sends everything it gets to the indexers so there's no need to worry about that.

You'll be able to select the index if they are defined on the HF.  Do that by copying the app that defines your indexes (you DO use an app, right?) from an indexer to the HF.  You also can edit the PRTG app's config file to specify the index.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Installing a modular input on indexers can lead to duplicate data.  Install it on a single SH (not a SHC) or a HF.

The app used to define indexes on your indexers should also be installed on your SHs and HFs.  This ensures the UI knows about all indexes.

---
If this reply helps you, Karma would be appreciated.

max8006
Explorer

The problem is that the PRTG APP makes RESTAPI calls to get the data for indexing. I don't understand how this is supposed to work on the indexer itself. There must be some way for a HF to make these calls and send the information to the indexers. In the app, I can't select the indexes that are defined on the standalone indexers.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

By definition, the HF sends everything it gets to the indexers so there's no need to worry about that.

You'll be able to select the index if they are defined on the HF.  Do that by copying the app that defines your indexes (you DO use an app, right?) from an indexer to the HF.  You also can edit the PRTG app's config file to specify the index.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...