All Apps and Add-ons

App installation, scheduled searches, summary index and search heads

twinspop
Influencer

I just installed the SplunkforF5 app. I installed it on the indexer and the search head. The app has many scheduled searches, including some that feed the summary index. It seems to me that having both the search head and the indexer run the scheduled searches and si-related commands is a waste.

Just disable the scheduled jobs on the indexer? Best practices?

1 Solution

Brian_Osburn
Builder

I'd recommend just installing it on the Search head. Set up the search head as a forwarder so that the summary indexes are populated on the indexers (for redundancy and licensing measures).

I don't use the application myself, but those would be my suggestions off the top of my head.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

I don't know exactly how the F5 app is. If it's just search-time things, you can just put in on the search head only. However, some apps contain index-time configuration.

There are certain best practices that I recommend for people creating apps that might be deployed in a distributed Splunk system (i.e., pretty much all of them), and my recommendations are in an answer to this:

http://answers.splunk.com/questions/4559/best-practices-for-installing-and-configuring-apps-in-a-dis...

Basically, I think that large monolithic apps are a bad idea, and they should be decomposed into the components as I outlined for proper deployment and configuration. It would be nice if you could pack everything together, deploy a single app, and have the Splunk instance figure out it's own "role" and therefore what settings to ignore or pay attention to. However, we're not yet there in Splunk, so what I'm suggesting works. Even in cases where the Splunk server can selectively use parts of an app, I'd suggest that development of an app benefits from the breakdown, and usage of an app by another party over time will also work better with this kind of role decomposition of app configs.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes. FYI, you can globally disabled all scheduled searches on a Splunk indexer (or forwarder; this is set in LWF inside the SplunkLightForwarder app) by putting into default-mode.conf:

[pipeline:scheduler]
disabled_processors = LiveSplunks

This works in 4.1+, but I'm not sure about 4.0.

Brian_Osburn
Builder

I'd recommend just installing it on the Search head. Set up the search head as a forwarder so that the summary indexes are populated on the indexers (for redundancy and licensing measures).

I don't use the application myself, but those would be my suggestions off the top of my head.

yoho
Contributor

By doing so, where are your indexes configured ? shouldn't you keep indexes.conf (additionally to inputs.conf) on the indexer ?

0 Karma

twinspop
Influencer

For future Splunkers, here's what I did. Comments welcome. On the indexer, I removed the F5 app, and moved the input I had defined for the LTM logs into .../etc/system/local/inputs.conf. Restarted the indexer. On the search head I enabled the Forwarder app (splunk enable app SplunkForwarder -auth admin:whatevs), restarted, added the indexer as a destination (splunk add forward-server 10.1.176.114:7903 -auth admin:whatevs), and finally restarted again. Badabing? Thanks to Brian and GK.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...