Hi @boknows , it's correct to put the configurations in the local folder of your TA. What's the flow of your data? where do you receive data? these seem to be data received by syslog and ususlly t...
See more...
Hi @boknows , it's correct to put the configurations in the local folder of your TA. What's the flow of your data? where do you receive data? these seem to be data received by syslog and ususlly they are received in an Heavy Forwarder, could you describe the flow of your data through the Splunk machines? In other words, I suppose that there's a syslog receiver, is it a Universal Forwarder or an Heavy Forwarder (a Splunk instance)? if it is an UF, between it and the Indexers, is there some other Splunk machine? if yes, it is an UF or an HF? At least if you're sure that there isn't any HF, put the add-on on the Indexers, otherwise on the first HF. Ciao. Giuseppe