Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Specifying a local Forwarder as member of predefined server class on deployment server

devsupport
Engager
‎04-02-2019 06:58 AM

We have defined server classes on our deployment server for tiered APP server roles based on machine prefix and works great. This is a way for us to define monitoring collection and run custom PowerShell scripts against a defined set of machines. We will soon be using a different server deployment process, installing the same APP server roles, but without the previous naming convention. At machine deployment time, we install a universal forwarder and could pass variables to the local inputs.conf.

Is there a way to configure a forwarder to specify it’s a member of a predefined server class?

PS: We looked at using _meta = foo:foo1 and doesn’t appear to do what we want because its search-time.

0 Karma
Reply

stath002
Path Finder
‎04-04-2019 07:14 AM

I believe you can define clientName in the deploymentclient.conf that can be the same across your forwarders. Then you would just add that to your whitelist in the serverclass.conf stanza you want and any forwarder you configure using that clientName would get the configs in the stanza with it as a whitelist.

eg. 

#deploymentClient.conf 
[deployment-client]
disabled = false
clientName = myAwesomeClient

#serverclass.conf
[serverClass:Some-stanza]
whitelist.0 = myAwesomeClient     
whitelist.1 = 192.168.1.1
[serverClass:Some-stanza:app:myAwesomeApp1]
[serverClass:Some-stanza:app:myAwesomeApp2]
Reply

sloshburch
Splunk Employee
Splunk Employee
‎05-10-2019 08:20 AM

Bingo. And if I ever get my act together, I'll write up a full walk through of this approach using naming conventions in the clientname to facilitate a salable DS model just as @stath002 described.

0 Karma
Reply

devsupport
Engager
‎04-04-2019 06:50 AM

I'm not sure if this question is phrased properly. We whitelist machines based on host prefix name. Without using a naming convention to allow/deny a host and apply correct monitoring, is there a different way to use our server classes by configuring something on the forwarder instead? Make sense?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...