I have been ingesting data from an Akamai WAF using the Akamai TA from SplunkBase. Once I have sorted all of the firewall issues and such with the team I have it working how I want it.
I have the TA installed on the HF and Search Peers of my Index Cluster with the base stanza in default/inputs.conf set to disabled. I have then created a light weight TA which just has the inputs.conf setup with the appropriate tokens, URL's etc and have that only on the HF.
The TA itself has a linux folder which contains a bash script that calls the Java app that makes the connection to the REST API. All good so far.
However, when I deployed the SplunkBase TA to the Indexers, it still tries to run the Java app even though I have the inputs stanza disabled.
Does Splunk run scripts in the linux folders (and I assume windows too) if it finds them? If so how do I disable them on the indexers but not on the HF? The SplunkBase TA also has props and transforms so I definitely want them on both the HF and Indexers.
Hope this makes sense and any help greatly appreciated?
Many thanks
... View more