Simple question. I want to point this add-on at a search head that can see an indexing cluster and have it store its output on an index in the cluster (not a local one). You can't do this via the UI as it only shows local indexes. I assume I can just edit the relevant config file but I can't find the config file.
So if the file/directory to poll is on a different machine from indexing cluster you might want to consider using the universal forwarder to send data to the indexing cluster.
Universal forwarder docs - http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Usingforwardingagents
Why would I add a Universal Forwarder to a search head?
The search head already has an outputs.conf that allows forwarding to the index cluster. I just need to point this app at the right index name.
So generally if you are scaling out Splunk people tend to split it across 3 tiers, the search head layer, the indexing layer, and the data forwarder layer. These layers generally tend to be on different machines.
So the suggestion of universal forwarder was more based on long term scaling for your Splunk instance.
Thanks for your input but it isn't really addressing the original question, I am afraid. Whether a UF is there or not won't help with the fact that I currently don't have a way to tell the app to point to a clustered index.
Does following http://docs.splunk.com/Documentation/Splunk/6.4.3/DistSearch/Forwardsearchheaddata also forward the app data?
Are you trying to get File/Directory Input data onto an indexing cluster? Is the search head able to query data from the indexing cluster at the moment?
Yes to both questions.