I have created SPL package which installs the needed indexes, reports, & dashboards - all what falls under the App folder in structure below. However, our project also includes configurations sent to forwarders. Question is, Can we (if yes, how) we package these deployment-app apps & configurations that we need to send to forwarders in same SPL file?
$SPLUNK_HOME
Etc
App
MyApp
Appserver
static
*.css
Bin
Default
*.conf
data
ui
views
*.xml
Local
Lookups
*.csv
Static
*.png
Deployment-apps
MyApp_dbextracts
local
*.conf
MyApp_dfinputs
local
*.conf
MyApp_forwarderoutputs
local
*.conf
You can package all of these in one app and distribute the app. You do need to be aware that the indexes.conf, inputs.conf, and outputs.conf will be applied on all instances this is installed on and how this can effect behaviour of the instance.
In line with best practices, I would recommend breaking out the knowledge objects (dashboards, searches, extractions, lookups, dashboards etc) and the indexes as a distinct app. (The index configuration we include in the SH anyways so that we can autocomplete the index name in searches.)
The inputs and outputs, I would break these out into separate apps also. Typically your outputs will be a global app, and your inputs are specific to the inputs. E.g., myorg_oracledb_inputs/.
I agree with your points. Question is, why to create separate apps when there is only one Search Head (that is combined with Deployment Server) and two indexers? Having a single deployment app will make it much easier to manage and deploy the app. After all, all this belong to the same app, so having multiple installs for the same app and all of which will be installed on the same box, is sort of counter intuitive.
Usually you will use two apps, one for the indexer and search head and a second one, often called TA_xxx which gets only loaded on the forwarder.
What you are referring to, I guess, does not use Deployment Server. Most companies make use of Deployment Server to manage which forwarders get what configurations.
Both Deployment Server and Search Head are on the same server.
The forwarder configuration will go to Search Head as well??