I'm looking for training that would cover at when deploying a TA if it would have to go to the indexer level rather than the HF or the search head. I know the HF usually gets the "Add-on" version of a TA just ran across certain circumstance recently where I was told I'd have to deploy a TA to the indexer level.
I know there's the Splunk Certified Admin training on Udemy. There's also the Splunk Enterprise Certified Admin training directly from Splunk. Would either of those or something else cover what I'm looking for.
thanks
Hi
usually you don’t put TAs on indexers in distributed environment if you have HFs in use. You must put those on HFs an SH layers. This is usually said on TAs installation instructions.
Usually the only part to put into indexers via CM is index definitions.
I haven’t take those Udemy’s courses so I cannot said anything about those.
If I recall right in splunk admin course neither goes through these at this level too? I don’t know if it has changed or not? But just read what we have written here and ask more questions about those issues, you will get that information.
r. Ismo
r. Ismo
It depends on your architecture. See the Masa diagrams - https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...
The index-time settings (line breaking, timestamp extraction indexed fields extraction and the such) are applied on first "heavy" (based on a full Splunk Enterprise installation, not UF) component in event's path.
So if your ingestion process is
UF->idx
you need TAs on indexers.
If you have TA with modular inputs on HF, the same HF will do the parsing stuff so for data coming from this HF you will need index-time settings in a TA there and search-time settings on SH.
If you have a fairly complicated (and very unusual but I can think of a scenario where it could be used) scenario like
UF1->HF1->UF2->HF2->idx
you need index-time settings on HF1 since it's the first heavy component. It does the parsing and sends the data down as parsed so subsequent components don't need to parse the data.
True, in this case it's universal forwarders sending the logs, that we don't manage, which is the only reason why they suggested deploying a TA at the indexer level. They might want the custom sourcetype changed to a standardized one.
Hmm also thank you, since I haven't seen anything for the splunk admin course to suggest it goes through that level and either does the udemy course. I might retake the udemy course as a refresher then schedule the splunkcloud course since there's been talk of us migrating to it so the splunkcloud course would be more practical.
thanks
Hi
usually you don’t put TAs on indexers in distributed environment if you have HFs in use. You must put those on HFs an SH layers. This is usually said on TAs installation instructions.
Usually the only part to put into indexers via CM is index definitions.
I haven’t take those Udemy’s courses so I cannot said anything about those.
If I recall right in splunk admin course neither goes through these at this level too? I don’t know if it has changed or not? But just read what we have written here and ask more questions about those issues, you will get that information.
r. Ismo
r. Ismo