All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Activity App - Plans to migrate to DM and SHC support ?

theunf
Communicator
‎06-07-2015 02:49 AM

Liked you app but cannot use on my SHC environments.

Do you plan to move to DM with acceleration ?
When we´ll have SHC support ?

Reply

David
Splunk Employee
Splunk Employee
‎06-07-2015 02:29 PM

Unfortunately, because the app relies on a search to populate TSIDX rather than raw events, it isn't a good candidate for data models. (Would that it were!)

My general recommendation would be to install it on your DMC (Distributed Management Console) server. The DMC also needs to be installed on a box outside of the cluster, and fulfills similar roles. You should be forwarding logs from your SHC members to the indexers, so you can install it wherever you want. The large beta customer for the app has something like 12 different search heads across the organization. By installing this app on one server, they can get visibility across all their search heads. A Splunk-internal installation of the app pulls in data from something like 30 or 40 search heads, at which point some of the graphs become a little silly, but overall the system works well!

Does that sound viable for your environment? There are certainly approaches you could take to deploy the app on a SHC member (without benefiting from the HA of SHC), but for most customers it makes more sense to leverage the forwarding of logs and install on an admin box.

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎11-10-2015 09:40 PM

I've had a few new requests to support a SHC installation. If you feel that you need this in order to be successful, please let me know!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...