I've waited to reply as i'm a NOOB trying to understand Splunk, the App and then the way my company deployed it and making sense of it all. Basically, we have multiple indexers and multiple search heads and it's all magically intertwined. My question was where should the app gets installed..... on the indexer directly, or the search head. Or better yet, how to equally distribute it. We ended up installing it on a single search head, but that doesn't get the data into the larger pool. So now that I think I better understand it all through trial and error, what is the proper way to deploy this app in such an environment? Via a heavy forwarder perhaps? is there a best practices document, or any documentation for that matter on deploying this in large environments?
... View more