I have the Splunk Add-on for Check Point OPSEC LEA installed on a number of instances and I'm a bit confused about what instance it is intended to be on.
I want the add-on for its ability to log into Check Point LEA, pull data, and send it to a destination index. As such, I want to use this add-on for inputs.
I have installed it on 3 heavy forwarders, none of which have indexes or run a search head, but the add-on appears to schedule an `index=_* OR index=*` search every 10 minutes, even though it doesn't have a saved search. I think this search is part of a data model.
When I look in the $SPLUNK_HOME/var/run/splunk/dispatch//search.conf I can see
SearchParser - PARSING: summarize tstats=t override=partial manual_rebuilds=f max_time=3600 id=DM_Splunk_TA_opseclea_linux22_opsecMetrics [ search (index=* OR index=_*) (sourcetype=opsec) connection_name=* | eval nodename = "root" | rename connection_name AS root.connection_name | fields nodename, _time, host, source, sourcetype, root.connection_name ]
but I can't find the data model or saved search which is driving this.
Why is this enabled? I don't want it running on a heavy forwarder, so how do I disable this?
↧