Getting Data In

Do I need to make outputs.conf for all apps?

ecaepp
Explorer

Hey just a quick question to find out if I need to make outputs.conf file for apps.

I am creating a bunch of apps right now to service my clusters need for multi-tenant environment. So I am just wondering if I need an outputs.conf file for each app that's going to be used at a location, or if I can just set a base app with an outputs.conf file that the apps can use to forward traffic with?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

View solution in original post

ddrillic
Ultra Champion

A very interesting thread at -

Changing UF outputs.conf using deployment server

It says -

usual method is to :

• create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf

• define a serverclass.conf on the deployment server (to match clients to apps)

• configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

ecaepp
Explorer

Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...