The Tripwire Enterprise app runs via a scripted input that in turn requires python. Therefore, the component that retrieves data from the TE console needs to be on either a Heavy Forwarder or a full splunk instance like a Search Head. The python scripted input pulls back data and writes it in CSV format in a flat file, and then a standard Splunk monitor input picks it up. My suggestion to keep things simple, and not have to maintain monitor inputs on all of your search heads in a cluster, is to put the TA portions of the app on a Heavy Forwarder. There is no reason that you can't run the rest of the app on a Search Head Cluster (disable the monitor inputs in the app). ... View more