All Apps and Add-ons

should the app cis-controls-app-for-splunk be installed on the indexers too ?

yannK
Splunk Employee
Splunk Employee

I noticed that the app cis-controls-app-for-splunk is running 600+ scheduled searches.
I understand that they need to run on the search-head, but I also installed it on the indexers, and the are running double searches now, causing unnecessary load.

Can you confirm if the app should be deployed on the indexers.
Or if they do if the scheduled searches have to be disabled on the indexers ?

0 Karma

aperez_splunk
Splunk Employee
Splunk Employee

Hi yannK,

App developer here. Thanks for checking out the CIS app.

This app just needs to be installed on the relevant search head. TAs relevant to your data sources should be installed across your environment as indicated on there respective installation instructions on Splunkbase.

The key need for the TAs is to apply CIM-compliant tags and eventtypes so that the saved searches in the app will pick up the appropriate data sources.

Installing/running the app on your Indexers is not required (or recommended).

Hope that helps and let me know if you have any trouble,
AP

0 Karma

koshyk
Super Champion

I downvoted this post because due to presence of indexes.conf && index time fields within the app and saying it is not required for indexers. (These apps when you compile in staging_server will automatically put index_time entries into Splunk_TA_forIndexers and push to indexers without users knowing it and should be careful while deploying in enterprise systems.)

0 Karma

hardikJsheth
Motivator

You don't need app on indexer unless untill there are any extraction in props or transforms.conf files. Please refer following link to get more help.

https://wiki.splunk.com/Community:HowIndexingWorks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...