I'm running 4 indexers, 1 search head and 1 master as my splunk enterprise architecture . I've read the instructions that state you must install the splunk enterprise security app on the search head and indexers. I've installed the app on the search head, but was wondering about the indexers.. Do I need to enable splunk web and install the app on each of the 4 indexers just like the search head? Is the installation different for the indexers?
Last question would be with the master.. should I go ahead and install the app on the master too?
just as an fyi.. I was going to initially drop the app on the master under the deployment apps folder and push them to the indexers..But then they wouldn't be configured the same..
Once you install ES app to your Search Head, you should see some folders under /etc/apps/ that are like "SA-" "SplunkTA" and "TA-*" copy the ones you are using to your Indexing and U&H Forwarding tier.