I am trying to simulate a cluster environment for the Splunk App for Enterprise Security. The setup is:
-Two Indexers in a cluster with Rep Factor =2 , search factor=2
-One search head for ES APP other one for third party apps.
-Dedicated Cluster Master & Deployer on a single machine.
I have installed the ES APP in the on the deployer and copied SA-ForIndexers, TA-*, Splunk_TA*, Splunk_SA* files to master-apps and pushed to the Indexer cluster. With this, it is able to create the indexes.
Would like to know what are all the directories i need to copy/Push to the ES APP search head node?
Do i need to create search head cluster, or just i can copy directly ES app related files for the search head?
How do I ensure that the search head sends all the data to the Indexer cluster?
Indexer Clustering and Search Head Clustering are two separate and distinct features. You need to understand the basics of both in order to run ES in both. Based on your environment description, you do not have Search Head Clustering in mind.
Regarding Indexer Clustering, you need a working cluster before you install ES. Once you have a valid working clustered indexer environment, then you can install ES. There is a SA-ForIndexers that comes with ES, this would be placed on your Cluster Master and distributed to each indexer. This is not through the deployer, the deployer is used for SHC.
For SHC, again you need to understand how this works before you try and deploy ES on this. There is a large list of issues you need to be aware of and understand before you even attempt this. Make sure you read the documentation at :