Hi,
TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.
In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle
... View more