I need to monitor a file directly on the indexer. I know I can just define an inputs.conf on the indexer itself and read the file. Later on, if I'm upgrading to an indexer cluster, could this create problems? Would the data inputs from the file still be duplicated over the different indexers when reading a file like this (as opposed to receiving data on port 9997 from an UF)?
It feels kind of like a hack to push inputs konfiguration from the Cluster Master, but I guess the alternative would be to install an UF on the machine as well as the Splunk Enterprise instance for the indexer, then the input would be load balanced as well, though I think this solution would be a bit of an overkill.
What is the best practise for doing this?
↧