Once you install ES app to your Search Head, you should see some folders under /etc/apps/ that are like "SA-" "Splunk_TA_" and "TA-*" copy the ones you are using to your Indexing and U&H Forwarding tier. Here is the Link in the ES configuration manual that discusses in more detail. ES Config Manual Determine which add-ons to deploy ... View more

Yayannah, It's been several years, but your post is still valuable: If you want to configure the forwarder to send the data to particular index on cluster-peers, use one of the following methods a) use deployment server (app with inputs.conf file) OR b) create inputs.conf file in the forwarder to read the data from souce and restart OR c) use the following command to add the input files For continuous monitor the file: ./splunk add monitor -index [ -sourcetype ] For adding file one time only : ./splunk add oneshot -index [ -sourcetype ] Let's say I have a server playing both role DS and Cluster Master, indexes created on this box. Data is being sent to a HF, then ends up in 7 peer nodes. Log file: log123.log Sourcetype: networksource Monitoring type: continuously I'd like to assign this data source to index IDX123 created in the DS/CM server. Would you please give details on which server to run which command? Thank you, ... View more