Splunk Enterprise Security

Splunk TA installation location

jmcclure8
New Member

I am trying to install the Rapid 7 TA. The document doesn't really give any good information. There are no searches, just inputs, so I am guessing it needs to go on a Heavy Forwarder and the Search Head?

0 Karma

muralikoppula
Communicator

@jmcclure8
There are different scenarios where you need to place the TA app:
1- If you're collecting logs from universal forwarder, the app should go on UF and indexer as well.(This will work if UF point to indexers directly)

2- if you're collecting logs through syslog and you need to place this app on Heavy Forwarder and there is an indexes.conf so you should place same app in indexer side as well

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Any TA that only contains inputs should not be installed on a search head unless those inputs are disabled.
Depending on the nature of the inputs, you may be able to install the TA on a Universal Forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Spunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...