All Apps and Add-ons

Where do you recommend installing the Cisco eStreamer eNcore Add-on for Splunk in a distributed environment?

ltrotter83
New Member

I have 1 search head, 2 Linux heavy forwarders, 1 indexer, 1 Deployment server, and 3 Windows heavy forwarders.

0 Karma

smallfry
Explorer

I have a question that I thought will be better if I add it here, rather than creating a new one. My questions are as the following:

  • With the eNcore Add-on already installed on a Heavy Forwarder, wouldn't deploying an updated Add-On via a Deployment Server makes the existing "data" directory becomes empty again since it will be overwritten by the copy from the Deployment Server?

  • How can I do so without affecting the existing "data" directory or it doesn't matter since the logs had been ingested?

  • Lastly, what's the impact of the "data" directory becomes empty? Will the logs be downloading in real-time from the FMC or does the Add-on download logs that had been in the FMC for x number of hours (example)?

Thanks everyone in advance.

0 Karma

douglashurd
Builder

you should use the Deployment Server to deploy the eNcore Add-on to heavy forwarder (for the data input/collection), as well as indexer and search head (since the add-on contains field extractions)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...