should the app cis-controls-app-for-splunk be inst...

yannK · ‎05-02-2017

I noticed that the app cis-controls-app-for-splunk is running 600+ scheduled searches.
I understand that they need to run on the search-head, but I also installed it on the indexers, and the are running double searches now, causing unnecessary load.

Can you confirm if the app should be deployed on the indexers.
Or if they do if the scheduled searches have to be disabled on the indexers ?

aperez_splunk · ‎06-12-2017

Hi yannK,

App developer here. Thanks for checking out the CIS app.

This app just needs to be installed on the relevant search head. TAs relevant to your data sources should be installed across your environment as indicated on there respective installation instructions on Splunkbase.

The key need for the TAs is to apply CIM-compliant tags and eventtypes so that the saved searches in the app will pick up the appropriate data sources.

Installing/running the app on your Indexers is not required (or recommended).

Hope that helps and let me know if you have any trouble,
AP

koshyk · ‎06-12-2017

I downvoted this post because due to presence of indexes.conf && index time fields within the app and saying it is not required for indexers. (These apps when you compile in staging_server will automatically put index_time entries into Splunk_TA_forIndexers and push to indexers without users knowing it and should be careful while deploying in enterprise systems.)

hardikJsheth · ‎05-06-2017

You don't need app on indexer unless untill there are any extraction in props or transforms.conf files. Please refer following link to get more help.

https://wiki.splunk.com/Community:HowIndexingWorks

should the app cis-controls-app-for-splunk be installed on the indexers too ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life