- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk App for WIndows with multiple indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for WIndows with multiple indexes
My scenario has a Splunk indexer (linux) that receives feeds from several heavy forwarder across a multi-company network.
Each Heavy forwarder resides in a subsidiary network and acts as the receiving point from Universal forwarders in that network.
There is a mix of Windows and Linux across all forwarder levels.
I am also using a Windows based Search Head for running the searches.
Each subsidiary company has it's own index, and we are set up with different user views for the different indexes. Both Linux and Windows data go into the same index as well as firewall logs, etc.
Company A personnel can see their index and all of the data within it. Company B can see theirs, etc.
My question: Is it possible to set up the Windows App to forward the data into the index depending on the forwarder it came from? I know this can be done, but I am looking for guidance on the best actual way to accomplish it.
Right now I have the Windows App installed on the Search head only.
Any guidance would be appreciated immensely!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No.
This sort of thing should be done on each forwarder via the deployment server.
Set the inputs.conf default stanza to point to the correct index for the Windows forwarders:
index=desiredIndex
And remove index specifications from individual input stanzas that you wish to control from the deployed App's inputs.conf as necessary (make the change once and control them all!!!).
In your case, it would probably make things a lot simpler to create a separate deployment server on each primary heavy forwarder to manage that particular network.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The app goes into the etc/deployment apps folder. Example: etc/deployment apps/TA_Windows
Add the app to the etc/system/local/serverclass.conf file. Example:
squarebracket serverClass:enter the serverclass name that you use to deploy the custom inputs.conf:app:TA_Windows squarebracket
stateOnClient = enabled
restartSplunkd = true
This will send out the app to your server class, just like your custom inputs.conf. If you have multiple server classes that require custom TA_Windows app configurations, then create a copy for each, and change the app name so it is different for each class.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes sense.
I already have a deployment server that manages all of the forwarders from a central location. I also have the input stanzas on all of the forwarders already set up to send the Windows Events and Performance info to the index. These are stanzas that I built from scratch, not from the app.
I am not using WMI but perfmon to get performance data from each forwarder (both types).
So how do I "deploy" the app via the deployment server to the forwarders. I have tried this before and it always confuses me.
What do I put where?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
