Getting Data In

Where to implement Ingest Actions?

dokaas_2
Communicator

In a recent "Splunk Enterprise 9.0 Data Administration" class, the documentation says that Ingest Actions should be implemented on a Deployment Server.  Am I correct that this only refers to Ingest Actions defined for a heavy forwarder and that if the Ingest Action is to be deployed on an indexer it should be defined on the cluster manager?

Labels (1)
Tags (1)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, you are correct.  Deployment Servers apply to forwarders; use the CM for clustered indexers

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dokaas_2,

the Deployment Server has the role to manage configurations (so also the ingestion configuratios) for all kind of Forwarders (Universal and Heavy).

Instaed Indexers, when Clustered, are managed by the Master Node and Search Heads are managed by the Deployer.

Only for semantic, I'd like to understand what you mean with "Ingest Actions", because if you mean configurations to igest data using the inputs.conf, it's correct that they are amanged by the DS, but In general I'd say that Ingestion Actions are the role of Forwarders (HF or UF), that are really managed by the DS.

Ciao.

Giuseppe

0 Karma

dokaas_2
Communicator

To clarify.  Splunk +9 provides 'ingest actions' to filter, mask and route data.  This can be done on a heavy forwarder or indexer.  Heavy forwarders would receive their configuration from a deployment server, but clustered indexers receive their configuration from the cluster manager (I guess stand-alone indexers could get their configurations from a deployment server too). 

It was that in the class documentation, they only mentioned that 'ingest actions' were deployed through the deployment server and not that they would be deployed by the cluster manager if you had clustered indexers.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dokaas_2 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you are correct.  Deployment Servers apply to forwarders; use the CM for clustered indexers

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...