Since Cribl is doing all the hard work, I can remove the palo TA from the indexers?

Mugdha Khandekar · September 2023

I configured the PALO pack and it's awesome. I have the data going out via HEC. Am I right to assume since Cribl is doing all the hard work, I can remove the palo TA from the indexers? I assume I'd still want it on the search heads

Kevin Morris · September 2023

<@U027YPMUU8M> you would still need the Add-on on the indexers since there are things that are still happening such as data models, etc...

nick · September 2023

uh, no. SHs handle that. If you aren't doing index-time work, then yes, you can yank the TA. Only caveat to that I can think of is large lookups. Sometimes, search bundles get too large and having the lookups on indexers can help with that.

nick · September 2023

and since Cribl is cooking the data, that means Indexer has nothing to do.

Since Cribl is doing all the hard work, I can remove the palo TA from the indexers?

Answers

Categories