Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TA deployment question

SplunkStudent2
Engager
‎03-28-2025 01:21 PM

I'm looking for training that would cover at when deploying a TA if it would have to go to the indexer level rather than the HF or the search head.  I know the HF usually gets the "Add-on" version of a TA just ran across certain circumstance recently where I was told I'd have to deploy a TA to the indexer level.

I know there's the Splunk Certified Admin training on Udemy.  There's also the Splunk Enterprise Certified Admin training directly from Splunk.  Would either of those or something else cover what I'm looking for.

 

thanks

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎03-28-2025 04:51 PM

Hi

usually you don’t put TAs on indexers in distributed environment if you have HFs in use. You must put those on HFs an SH layers. This is usually said on TAs installation instructions.

Usually the only part to put into indexers via CM is index definitions.

I haven’t take those Udemy’s courses so I cannot said anything about those. 
If I recall right in splunk admin course neither goes through these at this level too? I don’t know if it has changed or not? But just read what we have written here and ask more questions about those issues, you will get that information.

r. Ismo

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2025 05:01 AM

It depends on your architecture. See the Masa diagrams - https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platfor...

The index-time settings (line breaking, timestamp extraction indexed fields extraction and the such) are applied on first "heavy" (based on a full Splunk Enterprise installation, not UF) component in event's path.

So if your ingestion process is

UF->idx

you need TAs on indexers.

If you have TA with modular inputs on HF, the same HF will do the parsing stuff so for data coming from this HF you will need index-time settings in a TA there and search-time settings on SH.

If you have a fairly complicated (and very unusual but I can think of a scenario where it could be used) scenario like

UF1->HF1->UF2->HF2->idx

you need index-time settings on HF1 since it's the first heavy component. It does the parsing and sends the data down as parsed so subsequent components don't need to parse the data.

0 Karma
Reply
Solved! Jump to solution

SplunkStudent2
Engager
‎03-28-2025 07:17 PM

True, in this case it's universal forwarders sending the logs, that we don't manage, which is the only reason why they suggested deploying a TA at the indexer level.  They might want the custom sourcetype changed to a standardized one.

Hmm also thank you, since I haven't seen anything for the splunk admin course to suggest it goes through that level and either does the udemy course.  I might retake the udemy course as a refresher then schedule the splunkcloud course since there's been talk of us migrating to it so the splunkcloud course would be more practical.

thanks

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎03-28-2025 04:51 PM

Hi

usually you don’t put TAs on indexers in distributed environment if you have HFs in use. You must put those on HFs an SH layers. This is usually said on TAs installation instructions.

Usually the only part to put into indexers via CM is index definitions.

I haven’t take those Udemy’s courses so I cannot said anything about those. 
If I recall right in splunk admin course neither goes through these at this level too? I don’t know if it has changed or not? But just read what we have written here and ask more questions about those issues, you will get that information.

r. Ismo

r. Ismo

Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top