All Apps and Add-ons

Where do I install the Cisco eStreamer for Splunk App in an indexer clustering environment?

jdaves
Path Finder

Hey folks!

I'm attempting to get Sourcefire/FireSIGHT data with the Cisco eStreamer for Splunk app and I'm having trouble deciding where to put the app. It seems if I put it on both indexers in a cluster, then all logs will be gathered and indexed twice, which is not what I want. However, I want to maintain redundancy in case one of the indexers goes down. It seems there is no way to account for this. Do I really have to put it on only one indexer (or heavy forwarder) and hope that box doesn't go down?

Any advice is appreciated. Also it seems this app hasn't been updated in a while, I hope it actually works on 6.4...

0 Karma
1 Solution

jdaves
Path Finder

I ended up installing it on a single indexer in a two-indexer cluster. It is not aware of distributed environments and therefore would end up indexing data twice. This is a single-point-of-failure (SPOF) scenario like with DBX, but as of right now, there is no better option that I know of. I'm open to any suggestions!

View solution in original post

0 Karma

jdaves
Path Finder

I ended up installing it on a single indexer in a two-indexer cluster. It is not aware of distributed environments and therefore would end up indexing data twice. This is a single-point-of-failure (SPOF) scenario like with DBX, but as of right now, there is no better option that I know of. I'm open to any suggestions!

0 Karma

ccsfdave
Builder

Could it be installed on a forwarder and then sent to the indexing layer from there so it would distribute the indexing to all the indexers?

0 Karma

jdaves
Path Finder

No matter what you do, the eStreamer collector can only run on a single forwarder, otherwise you will get duplicate data. There is no intelligent handoff between forwarders to achieve high availability for this app.

0 Karma

ccsfdave
Builder

So put it on a fwd and it will take care of sending the data to the indexers? i have it on a stand-alone test box but that kind of obscures where it should live or how it becomes aware of other layers

0 Karma

jdaves
Path Finder

Yeah, you can put it on a heavy forwarder. I don't know if it works with a universal forwarder, though. The forwarder will forward the data from the eStreamer script the same as if it were monitoring a file. There's no difference.

0 Karma

ccsfdave
Builder

sweet! I will do that and report back. It will be a few days. I am trying to see how much data this is going to create

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...