All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

File/Directory Information Input: Is there a way to point this add-on at a Clustered Index?

FrankBurns
New Member
‎09-26-2016 06:32 AM

Simple question. I want to point this add-on at a search head that can see an indexing cluster and have it store its output on an index in the cluster (not a local one). You can't do this via the UI as it only shows local indexes. I assume I can just edit the relevant config file but I can't find the config file.

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎09-27-2016 06:27 AM

So if the file/directory to poll is on a different machine from indexing cluster you might want to consider using the universal forwarder to send data to the indexing cluster.

Universal forwarder docs - http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Usingforwardingagents

0 Karma
Reply

FrankBurns
New Member
‎09-27-2016 06:29 AM

Why would I add a Universal Forwarder to a search head?

The search head already has an outputs.conf that allows forwarding to the index cluster. I just need to point this app at the right index name.

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎09-27-2016 06:47 AM

So generally if you are scaling out Splunk people tend to split it across 3 tiers, the search head layer, the indexing layer, and the data forwarder layer. These layers generally tend to be on different machines.

So the suggestion of universal forwarder was more based on long term scaling for your Splunk instance.

0 Karma
Reply

FrankBurns
New Member
‎09-27-2016 07:25 AM

Thanks for your input but it isn't really addressing the original question, I am afraid. Whether a UF is there or not won't help with the fact that I currently don't have a way to tell the app to point to a clustered index.

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎09-27-2016 07:56 AM

Does following http://docs.splunk.com/Documentation/Splunk/6.4.3/DistSearch/Forwardsearchheaddata also forward the app data?

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎09-26-2016 09:02 AM

Are you trying to get File/Directory Input data onto an indexing cluster? Is the search head able to query data from the indexing cluster at the moment?

0 Karma
Reply

FrankBurns
New Member
‎09-27-2016 06:16 AM

Yes to both questions.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...