All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where to install Splunkgit in a distributed environment?

j4adam
Communicator
‎11-09-2016 09:19 AM

I can't find any documentation regarding the best deployment scheme for this. Looking at the configs I'm thinking:

  • Install it on a Heavy Forwarder and configure that to have the hooks into the repos
  • Install it on Indexers (or at least the indexes.conf file) so the data gets indexed. I don't see any index time opertations.
  • Install it on Search Heads in order to make use of the views, etc

Any thoughts? Am I correct in my assessment?

Side note: The Splunkgit tag is not recognized in the "tag" search on the sidebar.

0 Karma
Reply

jagadeeshm
Contributor
‎11-10-2016 05:35 AM

You seem to be on the right track. But you still need to know couple of things -

  1. If you are planning to use Heavy Forwarder for your input, it should already be configured to send all data to the indexers. And yes, you need to remove the indexes.conf file from the Heavy Forwarder.
  2. If the App provides in-built dashboards/panels, you may want to install it on the Search Head to use their UI. But when you install it on Search Head, it is recommended to eliminate some of the files like - inputs.conf, indexes.conf etc. Please see here for details instructions - http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall
  3. Your are right! Index time operations are not always required to index data.
0 Karma
Reply

j4adam
Communicator
‎11-10-2016 09:28 AM

Would I actually need to remove the indexes.conf file from from the heavy forwarder? I have indexing globally disabled. AFAIK leaving it there would serve no purpose, but would also cause no harm.

0 Karma
Reply

jagadeeshm
Contributor
‎11-10-2016 09:55 AM

Well there are 2 things -

1 - If you enabled ALL data forwarding from HF to Indexers, you don't have to worry about having the indexes.conf on HF. On the other hand if the forwarding is not enabled, you would end up indexing data in HF (which you probably don't want)

2 - If the App has a UI for defining the inputs, and if you are planning to use it, you may need the indexes.conf.

Hope that helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...