Hello!
How can I add Office 365 logs to my Splunk if I have 1 search head and 2 indexers and using distributed search?
Should I install all add-ons on 1 indexer and make all configurations on it and all add-ons and app on search head?
I recommend HF.
Indexers are generally overloaded with requests coming from search head.
You can Install on Indexer if they are not overloaded.
Start by reading the docs for the add-ons and apps you plan to install. They should say where they want to be installed.
In general, inputs should not be defined on indexers in a distributed environment. Doing so is likely to cause duplicated data. Put them on a heavy forwarder, instead. See https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
exactly. To separate workloads to different worker machines.
As I understood at this moment I can use for it universal forwarder too?
you can't use UF as it doesn't have python included in package.
Thank you for answer!
You mean deploy heavy forwarder on another machine and configure it to receive logs from Office365 and then send them to my indexers?
I recommend HF.
Indexers are generally overloaded with requests coming from search head.
You can Install on Indexer if they are not overloaded.