Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk TA installation location

jmcclure8
New Member
‎08-29-2018 07:04 AM

I am trying to install the Rapid 7 TA. The document doesn't really give any good information. There are no searches, just inputs, so I am guessing it needs to go on a Heavy Forwarder and the Search Head?

0 Karma
Reply

muralikoppula
Communicator
‎08-29-2018 08:49 AM

@jmcclure8
There are different scenarios where you need to place the TA app:
1- If you're collecting logs from universal forwarder, the app should go on UF and indexer as well.(This will work if UF point to indexers directly)

2- if you're collecting logs through syslog and you need to place this app on Heavy Forwarder and there is an indexes.conf so you should place same app in indexer side as well

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2018 08:32 AM

Any TA that only contains inputs should not be installed on a search head unless those inputs are disabled.
Depending on the nature of the inputs, you may be able to install the TA on a Universal Forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...