Deployment Architecture

Do NOT run scripted input on splunk components

renems
Communicator

I have a setup with clustered indexing, and search head pooling. I have a script that is getting data from a remote service. This script is included in an app, and that app is part of a serverclass that contains the specific linux host the script is intended to run on, the indexer-master, and the searchhead pool master.

You probably get it already: the script now runs on every host: the linux server, all of the cluster members, and all of the searchhead members. Ouch, I don't want the same input 8 times!

Is there any way to have the script only run on the linux server, and still use the deploymentserver? (I do need to add some field extractions, and create the index, so preferrably the serverclass remains unchanged)

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Forwarders and SHs/Indexers generally should not get the exact same apps if inputs are involved. I'd split up the app in an inputs-part and a other-part. Then the forwarder gets only the inputs-part and the Splunk components won't run the script.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Forwarders and SHs/Indexers generally should not get the exact same apps if inputs are involved. I'd split up the app in an inputs-part and a other-part. Then the forwarder gets only the inputs-part and the Splunk components won't run the script.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...