must be D. ref: https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Indexerclusterinputs . while it is possible to use inputs.conf (B) it is not best practice for several reasons (e.g "To handle potential node failure"). see the link for details
It's not recommended to use modular inputs on Clustered Indexers, because each indexer will ingest data and that means you have duplicate data. For HEC you use a load-balancer to prevent ingest duplicate data and better to also prevent single point of failure.
The recommended method to ingest data on clustered indexers in Splunk is to use option B, which includes Modular inputs, HTTP Event Collector (HEC), and inputs.conf monitor stanza.
Modular inputs are scripts or executables that can be run on remote systems to collect data and send it to Splunk. HEC is a data ingestion method that enables external systems to send data directly to Splunk via a REST API over HTTP or HTTPS. Inputs.conf monitor stanza is used to monitor local and network files for changes and ingest the data into Splunk.
Options A and C are not recommended because they involve collecting data actively by monitoring systems and listening on ports. This approach can be resource-intensive and may affect the performance of the clustered indexers.
Option D includes Splunk TCP and TCP-SSL, which are not commonly used for data ingestion on clustered indexers. These protocols are typically used for data forwarding between Splunk instances or for inputs that require secure communication, such as Splunk Enterprise Security.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Vatsal001
Highly Voted 3 years, 1 month agohpbdcb
Most Recent 1 year agosutcocuk
1 year, 6 months agojcisco123
1 year, 11 months agobigdo
3 years, 10 months ago