All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to deploy windows TA over different environment / indexes

sassens1
Path Finder
‎04-03-2017 09:59 AM

Hello,

I plan to deploy windows TA to collect logs on AD and perhaps other windows servers/hosts as well.
However I already have different indexes for different environments so I don't want to use the default ones (windows,wineventlog, perfmon).
I use a deployment server and I'd like to find the best approach to do so.
So far I'm thinking about creating multiple version of the windows TA (i.e. 1 for each env) with a local inputs.conf file with the index name to be deployed on the UF.
I will deploy the original TA version on all my search heads+indexers.

what do you think? any other idea?
thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

beatus
Communicator
‎04-03-2017 10:45 AM

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

Reply
Solved! Jump to solution
Solution

beatus
Communicator
‎04-03-2017 10:45 AM

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

Reply
Solved! Jump to solution

sassens1
Path Finder
‎04-07-2017 12:07 AM

Hi,

thanks for this answer It helped a lot.
so If I got you right what you propose is to deploy from my DS:
- TA_Windows (by default no input enabled)
- IA_Windows (created with inputs I want to collect from all sites )
and for each site/environment:
- IA_Windows_SiteX_PROD
- IA_Windows_SiteX_LAB

I think I'll use only specialized IA_windows_xxx because I want to send logs for each site to a specific index and moreover I don't want each site to know what is collected from all systems everywhere else.
it sounds quite manageable on a long term basis with a dozen of sites and 2 environment I'll have 24 specialized IA max.

0 Karma
Reply
Solved! Jump to solution

beatus
Communicator
‎04-07-2017 05:34 AM

Yeah, that sounds good to me.

Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...