Splunk Enterprise

Will index cluster replicate data from script inputs?

Haleb
Path Finder

Hi, I just installed a index cluster and i already know that i shoud place Apps to $SPLUNK_HOME/etc/master-apps/ directoty at my manager node to distribute it accross all indexers but i have 2 questions.

1. If an app that I deployed on the indexers uses Python scripts to fetch data, will this data be duplicated?
2. Do I need to prepare an app before deploying it to my indexers (remove unnecessary dashboards, eventtypes, etc)? Or can i leave it without changes?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

1.  Yes.  Such apps should be installed on a heavy forwarder.

2. Some preparation may be necessary, depending on the app.  Inputs.conf should be removed or all inputs disabled, for example.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

1.  Yes.  Such apps should be installed on a heavy forwarder.

2. Some preparation may be necessary, depending on the app.  Inputs.conf should be removed or all inputs disabled, for example.

---
If this reply helps you, Karma would be appreciated.

Haleb
Path Finder

Thanks for your reply.
I notice that almost every app uses script inputs (e.g., Splunk Add-on for Amazon Web Services, Splunk Add-on for Google Workspace, etc.). In what cases do I need to distribute the app to my indexers?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the app is installed on a heavy forwarder then all parsing is done there using the configurations in the app.  There is little need for the app also to be on the indexers unless you like to wear suspenders (braces) with your belt.

P.S.  I challenge the notion that almost every app uses script inputs.  Of the thousands of app in splunkbase, comparatively few use input scripts.  🙂

---
If this reply helps you, Karma would be appreciated.

Haleb
Path Finder

I have one more question. Can I use one Heavy Forwarder for all apps with script inputs, or would it be better to deploy a separate instance for every app?

Thanks for your help!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Generally speaking, yes, you can use a single HF for all of your input scripts.  If you will be processing a lot of data then you may need an additional HF.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...