Deployment Architecture

different deployment dir for same app

dinisco
Explorer

I have several hosts I want to deploy the same app to. I would like to use a different local/inputs.conf for different clients. My reasoning is that I want to turn some scripts on for some clients and not for others, or change intervals, etc.

I'm currently using the standard "unix" app. I suppose I could create a new app, but it would be a lot easier to be able to specify different options for the same app. Is there any way to do this?

Here's a copy of my serverclass.conf:


[global]
blacklist.0=*
continueMatching = true

[serverClass:my_clients]
whitelist.0=host1.example.com
whitelist.1=host2.example.com
whitelist.1=host3.example.com

[serverClass:my_clients:app:unix]
stateOnClient=enabled
restartSplunkd=true

Tags (1)
0 Karma

mw
Splunk Employee
Splunk Employee

I believe you could create a new class for each grouping of clients, and then create a new add-on under deployment-apps for each. The add-ons would simply include the inputs.conf for that group:

- deployment_apps
   - unix
   - unix_input_group1
      - default
          - inputs.conf
   - unix_input_group2
      - default
          - inputs.conf

You would leave all inputs disabled in the main unix app, and instead have them setup in the add-ons for the class. A couple of caveats though; the standard unix app inputs.conf has script stanzas like this:

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

I imagine you'd have to modify the stanza to the full path (i.e. [script://$SPLUNK_HOME/etc/apps/unix/bin/iostat.sh]) because the referenced scripts aren't in your new app's bin directory. Also, I don't imagine that stanzas in your custom add-ons would properly override those in the unix app. In other words, if you have a unix/default/inputs.conf with this stanza:

[monitor:///var/log]
_whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out)
_blacklist=(lastlog)
index=os
disabled = 1

best practice to enable it would be to create a unix/local/inputs.conf like this:

[monitor:///var/log]
disabled = 0

However, I don't believe you could enable an input in that way if you're working off of a unix/default/inputs.conf in another app's directory (though I'm not positive of that, so you may want to give it a try). So, you probably need to just copy the entire unix/default/inputs.conf to your new apps, modify script paths and intervals.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...