Getting Data In

How can I forward all "Splunk Deployment Monitor App" to another Splunk

mamaral
Path Finder

I wondering if you could help me with an issue… Here in mine company we installed different servers to each different splunk rules.

So now I’d like to look to only one “Splunk Deployment Monitor App” and see on it all about of the healthy of my splunk environment.

There's a way to forward this kind of information to indexers and enable the “Splunk Deployment Monitor App” on the search heads… ?

What I did was: Enable “Splunk Deployment Monitor App” in each server… Which seems to be wrong because I don’t have this information centralized…! And I need to acces each server to see that information...

Could someone please give me a tip for this ?!

Thanks so much,

Marcelo Amaral

Paolo_Prigione
Builder

If you enable the app on the search head (SH) and the SH already lists all the indexers as search peers, then you should be able to get the aggregate view from the SH itself.

However, in case your SH does not store the summary indexes locally but rather forwards everything to the indexers themselves, then you'll have to manually create the Deployment Monitor's specific indexes on the indexers, too.

EDIT: in case you have multiple search heads, you'd better follow these docs.

0 Karma

mamaral
Path Finder

Hi Anthony, thanks for answer my question but I do think there's a misunderstood here... Splunk Deployment Monitor is an builtin app on splunk 4.2 that you cona enable or not in case you want monitoring your splunk envirioment. Our issue here is related with the fact that we have 4 indexers 2 search heads and 2 heavy forwarders and we'd like to look to only one "Splunk Deployment Monitor" and get all information related with all others server.. Your example of serverclass.conf we've already done here to setup some of our apps but I do think it wouldn't work with Splunk Deployment Monitor"; Is there another way to figure out that issue? Thanks,

Amaral

0 Karma

treinke
Builder

In your serverclass.conf file, whitelist / blacklist a pattern for your servers. In the example I have the prefix on the server.

$Splunk_Home\etc\system\local\serverclass.conf:

[global]

#Set Classes
[serverClass:Location01]
whitelist.0=Loc01*

[serverClass:Location02]
whitelist.0=Loc02*

[serverClass:Location03]
whitelist.0=Loc03*

#App
[serverClass:Location01:app:Forward2Location01]
stateOnClient=enabled
restartSplunkd=true

[serverClass:Location02:app:Forward2Location02]
stateOnClient=enabled
restartSplunkd=true

[serverClass:Location03:app:Forward2Location03]
stateOnClient=enabled
restartSplunkd=true

Create an app for each location. This will point to the indexer you want the data sent to.

$Splunk_Home\etc\deployment-apps\Forward2Location01\outputs.conf

[tcpout]
defaultGroup=Location01

[tcpout:Location01]
server=SplunkIndex01:9997

With this you can have one deployment server and when the clients get download the app, it will tell the server which server to send the data to.

There are no answer without questions
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...