Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

different deployment dir for same app

dinisco
Explorer
‎06-09-2011 10:52 AM

I have several hosts I want to deploy the same app to. I would like to use a different local/inputs.conf for different clients. My reasoning is that I want to turn some scripts on for some clients and not for others, or change intervals, etc.

I'm currently using the standard "unix" app. I suppose I could create a new app, but it would be a lot easier to be able to specify different options for the same app. Is there any way to do this?

Here's a copy of my serverclass.conf:


[global]
blacklist.0=*
continueMatching = true

[serverClass:my_clients]
whitelist.0=host1.example.com
whitelist.1=host2.example.com
whitelist.1=host3.example.com

[serverClass:my_clients:app:unix]
stateOnClient=enabled
restartSplunkd=true

Tags (1)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-09-2011 03:57 PM

I believe you could create a new class for each grouping of clients, and then create a new add-on under deployment-apps for each. The add-ons would simply include the inputs.conf for that group:

- deployment_apps
   - unix
   - unix_input_group1
      - default
          - inputs.conf
   - unix_input_group2
      - default
          - inputs.conf

You would leave all inputs disabled in the main unix app, and instead have them setup in the add-ons for the class. A couple of caveats though; the standard unix app inputs.conf has script stanzas like this:

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

I imagine you'd have to modify the stanza to the full path (i.e. [script://$SPLUNK_HOME/etc/apps/unix/bin/iostat.sh]) because the referenced scripts aren't in your new app's bin directory. Also, I don't imagine that stanzas in your custom add-ons would properly override those in the unix app. In other words, if you have a unix/default/inputs.conf with this stanza:

[monitor:///var/log]
_whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out)
_blacklist=(lastlog)
index=os
disabled = 1

best practice to enable it would be to create a unix/local/inputs.conf like this:

[monitor:///var/log]
disabled = 0

However, I don't believe you could enable an input in that way if you're working off of a unix/default/inputs.conf in another app's directory (though I'm not positive of that, so you may want to give it a try). So, you probably need to just copy the entire unix/default/inputs.conf to your new apps, modify script paths and intervals.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...