So, I'm looking at deploying the Splunk *nix Add-on to allow us to gather some data from some linux servers.
I don't wan't the incoming data to end up in the default index, so I've created a new index on our Index cluster, and I've added a new local/inputs.conf to override the Add-on's default input.conf. This has been deployed to a server I'm monitoring and everything is working fine.
However, I'm a it confused as to what I need to do with the instance of the add-on that 's supposed to be installed on the search head and indexers. I don't need these to input any data at all (at least, not from the splunk servers they're sitting on). The documentation says I do need these to run on the indexers as I'm using a universal forwarder and not a heavy forwarder - though I'm not sure why.
Do I need to do anything about the inputs.conf? I don't want the instance on the indexers or search head to index the splunk servers. Do I need to apply the add-on as is? The Add-on with my custom inputs.conf, or in someway otherwise alter it? The documentation doesn't seem to mention anything along these lines.
Thanks
Dave
... View more