Getting Data In

What and where do I write the server class configuration for a deployment app to be pushed to forwarders?

sushmitha_mj
Communicator

URGENT!!
I want to create a splunk deployment app to configure the forwarder to pick data from a server location.
I know that to create a deployment app, I just have to create a folder in $SPLUNK_HOME/etc/deployment-apps (which is empty) and in forwarder management, add the server class to it... But how do I write code into it? What and where should I write to make the forwarder pick up data from the location?

0 Karma
1 Solution

gwalford
Path Finder

Why do you want to write a Splunk-Specific app to do this?

You can make changes to the end points with deployment technologies such as Puppet, Chef or SCCM for example. This allows you to push out new configurations.

You can also deploy apps with the Splunk Deployment server as well:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Updating/Aboutdeploymentserver

Why try to reinvent the wheel?

View solution in original post

sushmitha_mj
Communicator

@gwalford
Like should I add the app. conf, prop.conf files or would it add them on its own? Where should I write what it should do?

0 Karma

sushmitha_mj
Communicator

@gwalford

Again thank you so much......... I am working on an urgent requirement and your help is of great value.

Thanks for the document. It definitely helps me understand the contents of inputs.config. I created an app folder in the deployment_apps folder, created a subdir caled local and also created a file called inputs.conf (4 line input file).
I then created a server class(it is mapped to a client ). I am trying to add this add to the server class , it does not let me and displays a server error.
My doubts are :
1. What is the problem here? Is it happening because of the contents of the app folder?
2. Is it because, it is not reading the inputs.conf?
3. WHAT SHOULD I DO?

Thank you so much for your time and help!

0 Karma

gwalford
Path Finder

You are over thinking things again.

Why are you trying to use an app?

The inputs.conf is a standard file, you do not need to use an application to do what you are trying to do.

I think you are looking at the problem in the wrong way. An application is a specific thing that you deploy,

I suggest you stop looking at the application side of Splunk, and look at the forwarder side of Splunk.

You need to read through this entire document (and each section) to get a handle on what you really want to do:

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata

0 Karma

sushmitha_mj
Communicator

@gwalford

This makes so much sense to me now... Thank you first of all for that...
But for creating an app to
1. Monitor a path lets say /abc/def in a server where forwarder is located
2. Pick data if the file is of a certain name and certain type
3. Load the data into splunk
Note: the splunk root and the forwarders are on different location

What are all the files that I should write or is there like app.conf, inputs.conf etc ?
Which ones(files) come as default if I create this APP DIRECTORY and tie it into the class?
Or should I manually create all the files that should go into this app directory?
Is there any sample script that you can share?

0 Karma

gwalford
Path Finder

You are looking for the "inputs.conf" file. That is the file that selects what you will be monitoring:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

I highly recommend you try doing this manually first, get a good understanding of doing it by hand, once you understand that, then you can create modified versions and deploy them.

gwalford
Path Finder

Why do you want to write a Splunk-Specific app to do this?

You can make changes to the end points with deployment technologies such as Puppet, Chef or SCCM for example. This allows you to push out new configurations.

You can also deploy apps with the Splunk Deployment server as well:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Updating/Aboutdeploymentserver

Why try to reinvent the wheel?

sushmitha_mj
Communicator

Okay... I am doing this the first time.. so could you please be more specific?
I have read this deployment server article numerous times now... but... it still does not answer my question of how do I push the config to make the forwarder pick the data from a location ?

0 Karma

gwalford
Path Finder

To find the deployment server settings, in Splunk (when you have a deployment server) go to "Settings" then go to "Forwarder Management".

gwalford
Path Finder

The best thing to try is to set up an actual deployment server.

It is all GUI driven through Splunk, so it won't make much sense to read the article over and over.

Basically, you put the files in the App Directory you want. Then you "create" an app in the GUI, then you tie this app into a "Class" or a group of systems you want to have the app on, then you tell the system to deploy the app. Then the deployment server pushes the app out to the points you want.

As an example, I pushed out the "cisco_ios" app to some of my machines and the "splunk_app_for_Unix" to others. Before I did this, I copied those applications to the deployment servers app directory. I then defined the apps, and the systems that needed them, and the deployment server pushed them out.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...