Splunk TA installation location

jmcclure8 · ‎08-29-2018

I am trying to install the Rapid 7 TA. The document doesn't really give any good information. There are no searches, just inputs, so I am guessing it needs to go on a Heavy Forwarder and the Search Head?

muralikoppula · ‎08-29-2018

@jmcclure8
There are different scenarios where you need to place the TA app:
1- If you're collecting logs from universal forwarder, the app should go on UF and indexer as well.(This will work if UF point to indexers directly)

2- if you're collecting logs through syslog and you need to place this app on Heavy Forwarder and there is an indexes.conf so you should place same app in indexer side as well

richgalloway · ‎08-29-2018

Any TA that only contains inputs should not be installed on a search head unless those inputs are disabled.
Depending on the nature of the inputs, you may be able to install the TA on a Universal Forwarder.

---
If this reply helps you, Karma would be appreciated.

Splunk TA installation location

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!