I have installed Splunk ES in SH cluster and search head as mentioned in docs. i have also installed add-on in which index-operation is true in indexers. However i am not clear what to do next. for example, when i am checking in SH > ES > Asset center or Identify master it is showing data which is in sample csv look up. there look up are in SH.
now suppose i need to create a dash board in ES > SH for monitoring authentication activity of admin user on all splunk servers. from where i need to specify thing/data. in forwarder or in SH>ES ? how flow of data work in this case.
i could not find any doc with such detail.
You would create your dashboards, reports, correlation searches, inputs, alerts etc on the ES Search Head (SH.) But since you are using a Search Head Cluster (SHC), you do need to be aware that there are some configurations that you have to do in a dev environment, and then push via a deployer. (This is mainly modular inputs and threatlists..)
thanks for quick response.
but how about data input. from where exactly it comes. Like core splunk we use Forwarder to indexer > then search head. or directly to splunk instance where ES is installed?