I've been using Splunk as standalone for quite awhile, but I'm pretty new to Splunk Clustering. In my config, I have a 3 node cluster (2 peers, and 3rd node is both Cluster Master & Search Head).
I'm trying to understand, for Add-Ons such as Salesforce, how I ensure data is forwarded to an Index Cluster. I know on a Universal Forwarder that I can setup Indexer Discovery, and I have this working using /etc/system/local/outputs.conf.
Is the same solution the only way to forward from Add-ons like SalesForce from a Heavy Forwarder? This limits me to needing to dedicate one HF per cluster doesn't it? For example, from one HF I can't forward SalesForce data to one index cluster, and Cisco data to a different cluster.
If I'm right, and HF must be per cluster, can the cluster search head be used such that it's dual-purposed as Search Head and Heavy Forwarder using Indexer Discovery to itself?
Thanks.
↧