Splunk Enterprise Security

Best practice with TAs in distributed environment.

Splunker
Communicator

Folks,

I have 2 Splunk search-heads, one with Enterprise-Security, and a vanilla (non-ES) Search-Head for general search in a distributed setup.

When installing another distributed app, lets say, Splunk for UNIX on my non-ES SH, is it best-practice to deploy the Splunk for UNIX TA on my ES Search-Head?

The documentation of distributed apps never really says if one should install the TA on other SHs (i always wondered if that was due to Search-Head Pooling)?

What is the best practice in this scenario? I would love my non-ES SH to show UNIX data from my ES SH which has Splunk for UNIX deployed on it..

Thanks.

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

View solution in original post

Splunker
Communicator

Many thanks Jack! I forgot it's bundled in ES, and i also appreciate your point that "it depends" when deciding to install a TA on alternate SHs depending on what other distributed apps are installed in a particular environment.

But i think i have a better understanding now, so thanks 🙂

Chris.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...