If I write a custom command, where does it need to be located if I have a distributed search setup? On the local splunk server which receives the distributed search?
All search-time configuration in Splunk (e.g., extractions, eventtypes, tags, macros, lookups and search commands) should live on the search head that the user logs into. These resources are automatically packaged and shipped to the indexers that contain the data.
All search-time configuration in Splunk (e.g., extractions, eventtypes, tags, macros, lookups and search commands) should live on the search head that the user logs into. These resources are automatically packaged and shipped to the indexers that contain the data.