All Apps and Add-ons

Is it possible to package an app of indexes, reports, and dashboards & a deployment-app for forwarders into one Splunk App?

anupjishnu
Path Finder

I have created SPL package which installs the needed indexes, reports, & dashboards - all what falls under the App folder in structure below. However, our project also includes configurations sent to forwarders. Question is, Can we (if yes, how) we package these deployment-app apps & configurations that we need to send to forwarders in same SPL file?

$SPLUNK_HOME
     Etc
          App
               MyApp
                    Appserver
                         static
                              *.css
                    Bin
                    Default
                         *.conf
                         data
                              ui
                                   views
                                        *.xml
                    Local
                    Lookups
                         *.csv
                    Static
                         *.png

          Deployment-apps
               MyApp_dbextracts
                    local
                         *.conf
               MyApp_dfinputs
                    local
                         *.conf
               MyApp_forwarderoutputs
                    local
                         *.conf
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can package all of these in one app and distribute the app. You do need to be aware that the indexes.conf, inputs.conf, and outputs.conf will be applied on all instances this is installed on and how this can effect behaviour of the instance.

In line with best practices, I would recommend breaking out the knowledge objects (dashboards, searches, extractions, lookups, dashboards etc) and the indexes as a distinct app. (The index configuration we include in the SH anyways so that we can autocomplete the index name in searches.)

The inputs and outputs, I would break these out into separate apps also. Typically your outputs will be a global app, and your inputs are specific to the inputs. E.g., myorg_oracledb_inputs/.

0 Karma

anupjishnu
Path Finder

I agree with your points. Question is, why to create separate apps when there is only one Search Head (that is combined with Deployment Server) and two indexers? Having a single deployment app will make it much easier to manage and deploy the app. After all, all this belong to the same app, so having multiple installs for the same app and all of which will be installed on the same box, is sort of counter intuitive.

0 Karma

FritzWittwer_ol
Contributor

Usually you will use two apps, one for the indexer and search head and a second one, often called TA_xxx which gets only loaded on the forwarder.

0 Karma

anupjishnu
Path Finder

What you are referring to, I guess, does not use Deployment Server. Most companies make use of Deployment Server to manage which forwarders get what configurations.

0 Karma

anupjishnu
Path Finder

Both Deployment Server and Search Head are on the same server.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The forwarder configuration will go to Search Head as well??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...