So, I'm looking at deploying the Splunk *nix Add-on to allow us to gather some data from some linux servers.
I don't wan't the incoming data to end up in the default index, so I've created a new index on our Index cluster, and I've added a new local/inputs.conf to override the Add-on's default input.conf. This has been deployed to a server I'm monitoring and everything is working fine.
However, I'm a it confused as to what I need to do with the instance of the add-on that 's supposed to be installed on the search head and indexers. I don't need these to input any data at all (at least, not from the splunk servers they're sitting on). The documentation says I do need these to run on the indexers as I'm using a universal forwarder and not a heavy forwarder - though I'm not sure why.
Do I need to do anything about the inputs.conf? I don't want the instance on the indexers or search head to index the splunk servers. Do I need to apply the add-on as is? The Add-on with my custom inputs.conf, or in someway otherwise alter it? The documentation doesn't seem to mention anything along these lines.
Thanks
Dave
Install the add-on in all three places, however inputs.conf should be inactive on the indexers and search heads. You can do that by using local/inputs.conf to disable all inputs not disabled by default or by removing default/inputs.conf.
The add-on is needed on the indexers so they know how to parse the data and extract any index-time fields.
The add-on is needed on the search heads to extract search-time fields.