Hi, thanks for both of your answers. Unfortunately we have not allowed for a Heady forwarder in our Splunk environment so have no option but to configure OPSEC inputs on one of our 4 Indexer servers. I've been unable to find anything in the documentation to determine whether or not this would be supporterted. Can you advise where I may be able to find clarification on this. Sorry I'm new to Splunk. If we can do this I would intend to install the app via the normal Cluster Master -> Indexer deployment and configure OPSEC input on one of the Indexers. I believe I may also need to install the app on the Search Head servers. Any further advice would be greatly appreciated.
... View more