Deployment Architecture

Can you assign multiple serverclasses to one server?

CaptainHook
Communicator

We have a serverclass set up to ingest WinEventLog:Security logs for multiple servers (contains a blacklist for account names and ID's). The consumer is looking to add the WinEventLog:Directory Service logs for only (1) of the servers.

Would we be able to accomplish this by having (2) server classes assigned to the one server? Or, is there a best practice solution for this type of scenario?

Thank you in advance for any guidance.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

I would create a new serverClass for WinEvenLog:Directory monitoring app/server, to reduce the complexity. One server can be part of multiple serverClass.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

I would create a new serverClass for WinEvenLog:Directory monitoring app/server, to reduce the complexity. One server can be part of multiple serverClass.

sloshburch
Splunk Employee
Splunk Employee

Agreed. Bottom line: yes, you can have servers mapped to various serverclasses. In fact, you SHOULD do it this way to more easily manage.

0 Karma

CaptainHook
Communicator

Okay, that is what I was doing. I created a secondary serverclass just for WinEventLog: Directory Service and was going to add that only to the client that they want additional logs from. I believe we're saying the same thing, correct?.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would create a new serverclass just for WInEventLog:Directory, add just that single client as it's member. Than I will create an data input app to just monitor WInEventLog:Directory and assign that app to this server class.
We've three elements here
serverClass----Member servers
|__Apps to be deployed

CaptainHook
Communicator

Okay, that;s what I was thinking...thank you for confirming.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...