Deployment Architecture

merging content from two configuration files

ajaysamantbms
Explorer

Is it possible to create 2 server classes -

one server class contains input.conf file with only stanza A and stanza B
second server class contains input.conf file with only stanza C

and a client is a member of both these server classes.

So when i push the changes using forward manager console - i will push it sequentially using these 2 server classes. And at client side i expect all three stanzas in inputs.conf file..

Is this possible?

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Well, of course this is possible, that is the reason for having server*classes*, so that e.g. all windows-servers will collect windows event logs, and the subset of windows servers who are also webservers will collect the IIS logs etc etc.

Since these inputs.conf files will be deployed in different apps, they will also be stored like that on the forwarders. At run-time the files are automatically merged into a single config file by splunkd, and it is not something that either you or the deployment server handles. This is a built-in feature, which is described here;

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Aboutconfigurationfiles
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Wheretofindtheconfigurationfiles

/K

EDIT: clarification and link to docs.

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

Well, of course this is possible, that is the reason for having server*classes*, so that e.g. all windows-servers will collect windows event logs, and the subset of windows servers who are also webservers will collect the IIS logs etc etc.

Since these inputs.conf files will be deployed in different apps, they will also be stored like that on the forwarders. At run-time the files are automatically merged into a single config file by splunkd, and it is not something that either you or the deployment server handles. This is a built-in feature, which is described here;

http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Aboutconfigurationfiles
http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Wheretofindtheconfigurationfiles

/K

EDIT: clarification and link to docs.

0 Karma

kristian_kolb
Ultra Champion

well, if you only have two servers, it does not really matter which way you slice it. Either you have 2 apps;

app1: c:\test1\ + perfmon
app2: c:\test2\ + perfmon + registry

or you have 3 apps;

app1: perfmon
app2: c:\test1\
app3: c:\test2\ + registry

deploy them accordingly with serverclasses.

0 Karma

ajaysamantbms
Explorer

Just confirming my understanding based on your example:
If i have 2 windows forwarders and first one is supposed to monitor perfformance and c:\test1 folder and second one is supposed to monitor performance, registry and c:\test2 folder (note c:\test2) does not exist on machine 1..
then i will have the following:

server1 app - containing common configs for both machines
server2 app - containing registry config and c:\test1 inputs - client will be machine1 only
server3 class app containing config to monitor c:\test2 only and client = second machine

is this correct assumption?

0 Karma

lukejadamec
Super Champion

No, all three stanzas will not end up in the same inputs.conf. Best case is what Kristian posted, you'll have two apps each with an inputs.conf - one with 1 stanza and one with 2 stanzas. You should not have a problem so long as they don't conflict.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...