- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Will the Cisco ACI app work in a clustered spl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will the Cisco ACI app work in a clustered splunk environment?
Will the Cisco ACI app and add on work in a Splunk clustered environment? the instructions don't refer to clustered at all so I'm concerned. I am trying to avoid having to spin up a single SH just for this one app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the Cisco ACI app works in a Splunk distributed environment.
- You would want to install the add-on on the search peers of the heavy forwarders or the search peers to collect and index the APIC data.
- Install the Cisco ACI App on the Search Heads and allow it to search the index where the data lies.
- One manual configuration file eventtypes.conf needs to be included in the Apps local/default directory on Search Heads. The file can be found in the Add-on under $SPLUNK_HOME/etc/apps/TA_cisco-ACI/default/. You can push them through the deployer or manually paste the file on each of them
Once you have the above steps, try a search from SH ' index = sourcetype = cisco:apic:* | stats count by sourcetype'. By default the index the data exists is 'main'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little confused on your statement on #1:
"You would want to install the add-on on the search peers of the heavy forwarders or the search peers to collect and index the APIC data."
I was able to successfully install the Add-on on a single Heavy forwarder and it is sending the data to the indexers. I didn't install the addon on the indexers. Are you saying I should install the addon on the indexers too?
and second, If I install the add-on on all 4 of my Heavy forwarders in my environment, won't I get duplicate data in the indexes? I want to have the ability to recover from a failure of a Heavy forwarder but I'm thinking that may not be an option with this add-on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stanley,
The statement was incorrect. I meant, install the add-on on the heavy forwarders OR the indexers(search peers).
If you have installed the add-on on heavy forwarders, I recommend to have the add-on on the indexers as well, just for having all the right .conf files for the incoming data. You don't need to setup the add-on on the indexer, just setup the add-on on the the heavy forwarder.
If you install the add-on on all the heavy forwarders, it will have duplicate data.
Also in case of a failure, you need to again setup the app on another heavy forwarder in such scenario.
One way to minimize the impact is if you have multiple ACI fabrics having their own APIC clusters, You can individually setup each APIC of an ACI fabric on an individual heavy forwarder.
Hope this helps!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
