Splunk Enterprise Security

Splunk TA installation location

jmcclure8
New Member

I am trying to install the Rapid 7 TA. The document doesn't really give any good information. There are no searches, just inputs, so I am guessing it needs to go on a Heavy Forwarder and the Search Head?

0 Karma

muralikoppula
Communicator

@jmcclure8
There are different scenarios where you need to place the TA app:
1- If you're collecting logs from universal forwarder, the app should go on UF and indexer as well.(This will work if UF point to indexers directly)

2- if you're collecting logs through syslog and you need to place this app on Heavy Forwarder and there is an indexes.conf so you should place same app in indexer side as well

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Any TA that only contains inputs should not be installed on a search head unless those inputs are disabled.
Depending on the nature of the inputs, you may be able to install the TA on a Universal Forwarder.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!