Hi ssackrider,
Not sure what you mean by main Splunk/ES, but if this is your indexer, and you have already forwarded Bro logs to this server using a heavy forwarder, then you do not need to install another Bro Add-on on the indexer. However, if you also use a search head, you must also install the Bro Add-on on the search head in order to properly perform searches on indexed events.
In short, in a distributed environment, you must install the Bro Add-on on the search head, and either indexer or the heavy forwarder.
For more installation info, please refer to this section:
http://docs.splunk.com/Documentation/AddOns/released/BroIDS/Distributeddeployment#Distributed_installation_of_this_add-on
Hope it helps, thanks!
Hunter
... View more