Splunk Enterprise Security

Best practice with TAs in distributed environment.

Communicator

Folks,

I have 2 Splunk search-heads, one with Enterprise-Security, and a vanilla (non-ES) Search-Head for general search in a distributed setup.

When installing another distributed app, lets say, Splunk for UNIX on my non-ES SH, is it best-practice to deploy the Splunk for UNIX TA on my ES Search-Head?

The documentation of distributed apps never really says if one should install the TA on other SHs (i always wondered if that was due to Search-Head Pooling)?

What is the best practice in this scenario? I would love my non-ES SH to show UNIX data from my ES SH which has Splunk for UNIX deployed on it..

Thanks.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

View solution in original post

Communicator

Many thanks Jack! I forgot it's bundled in ES, and i also appreciate your point that "it depends" when deciding to install a TA on alternate SHs depending on what other distributed apps are installed in a particular environment.

But i think i have a better understanding now, so thanks 🙂

Chris.

0 Karma

Splunk Employee
Splunk Employee

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

View solution in original post