All Apps and Add-ons

Best Practice for Setting Up Server Classes per OS?

jpetrakovic
Explorer

Hello!

I'm in a Windows-only environment. Currently I have a use case where I need to deploy one version of the Windows TA to our workstations and another version to our servers (different monitoring requirements). I'm trying to figure out the best way to go about this. Since it doesn't seem like I can make a server class based on server vs. workstation, I'm guessing what I'll need to do is point our workstations to a separate deployment server. Has anyone else done something similar?

Thanks!

0 Karma

quihong
Path Finder

I know this is an old question, but for future readers that stumble on this question...

1) Naming convention. Typically servers are named differently from workstations, but in your comment you mentioned you don't have a separate naming convention for workstations versus servers.

2) IP Address/Subnet. Hopefully you have your servers sitting on a separate network from your workstations. I use this method to send data to the appropriate indexers for a particular site.

sloshburch
Splunk Employee
Splunk Employee

No need to have different deployment servers. See What are best practices for deploying an add-on with slightly different configurations?.

The serverclass part shouldn't be hard either. You can use the machinetypefilter with the white and black lists to control which app lands where.

0 Karma

jpetrakovic
Explorer

I was looking at the machinetypefilter, my only issue is that both our servers and our workstations show up as "windows-x64." We don't have a separate naming convention for workstations vs. servers either, so I'm guessing I would have to manually keep up with the whitelist and blacklists (not very feasible).

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Understood. I have been thinking about writing a best practice strategy for how to use the deploymentclient.conf's clientName field with a naming convention to facilitate something like that.

In the most simplest form, you could set that field with the <hostname>-<server|workstation> like
echo -e "[deployment-client]\nclientName = hostname-server"

Then your whitelist could be defined with just whitelist.0 = *-server.

That's a crude approach with stuff I haven't tested, but it gives you a sense of what could be possible.

0 Karma

jpetrakovic
Explorer

Thank you so much! I honestly didn't even consider manipulating the clientName field like that. I'll have to do some testing but I think this is the approach I'll take with this!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...