Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best practice with TAs in distributed environment.

Splunker
Communicator
‎03-27-2014 02:11 AM

Folks,

I have 2 Splunk search-heads, one with Enterprise-Security, and a vanilla (non-ES) Search-Head for general search in a distributed setup.

When installing another distributed app, lets say, Splunk for UNIX on my non-ES SH, is it best-practice to deploy the Splunk for UNIX TA on my ES Search-Head?

The documentation of distributed apps never really says if one should install the TA on other SHs (i always wondered if that was due to Search-Head Pooling)?

What is the best practice in this scenario? I would love my non-ES SH to show UNIX data from my ES SH which has Splunk for UNIX deployed on it..

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎03-27-2014 02:53 PM

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

View solution in original post

Reply
Solved! Jump to solution

Splunker
Communicator
‎03-27-2014 06:15 PM

Many thanks Jack! I forgot it's bundled in ES, and i also appreciate your point that "it depends" when deciding to install a TA on alternate SHs depending on what other distributed apps are installed in a particular environment.

But i think i have a better understanding now, so thanks 🙂

Chris.

0 Karma
Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎03-27-2014 02:53 PM

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...