In am trying to install and configure Splunk App for AWS and its add-on. We have a non-clustered distributed environment with a search head and three indexers. The documentation at http://docs.splunk.com/Documentation/AWS/5.1.0/Installation/Installon-prem says:
1) Install both the app and add-on to your search heads.
2) Turn off add-on visibility on your search heads.
3) Configure the search head tier to directly forward data to the indexer tier.
4) Distribute the summary index configurations to the indexer.
5) Install the add-on to a heavy forwarder.
I am little confused about step 3 and 5. Aren't they redundant?
If the search head can forward the data to indexers, why is there a need for a heavy forwarder?
Is the heavy forwarder used to take some 'load' off the indexer? In that case, shouldn't the search head forward the data read from AWS to the heavy forwarder rather than the indexer?
... View more