All Apps and Add-ons

Deployment App strategy

Path Finder

Would anyone have advice on the following?

I am deploying the splunk Universal forwarder in a mixed windows environment. I have some IIS servers, some 2003 servers, some 2008 servers, and a few other applications as well.

When configuring deployment apps to be sent to the universal forwarder on these servers, is it best to configure a separate app for each "type" of server. For example,

  1. Have a blanket/generic app that deploys to all windows servers, which collects generic data that I would want to collect on all windows servers.
  2. Create a separate app for IIS servers, which will collect the IIS log that doesn't exist on every server.
  3. Blacklist the IIS servers from the blanket/generic app.

-OR-

Would it be best to just deploy one app to all windows servers, including the collection for the IIS log. I'm assuming it will only generate an error that the log cannot be found...

I'm just curious as to how granular a person should get, or if granularizing for this purpose is just management overhead with little benefit.

Thanks!

0 Karma
Highlighted

Re: Deployment App strategy

Builder

trross33,

I would personally recommend creating a "base" deployment application which has a common set of inputs for data you want to collect across the environment. From there you can create specific deployment applications which address inputs on a per server type basis. In the example above the IIS server would get both the "win_base" input app and the "iis" input app. An exchange server might get the "win_base" input app and the "exchange" input app.

0 Karma
Highlighted

Re: Deployment App strategy

Splunk Employee
Splunk Employee

I would create:

  • one app for base Windows OS data
  • one app for IIS application, just specifying collection of IIS data
  • one more app for each other type of application with a distinct set of data and properties (if any, e.g., if someday you monitor Exchange, or MSSQL, or whatever)

First, whitelist/list all Windows servers into a class for the first app. Then, whitelist all IIS servers for the second app in a different class, and so on for each app.

The inputs will layer on top of each other, so it's fine to have a server whitelist into multiple apps.

This approach allows you to change and manage according to the application or use case, rather than according to sets of servers. This would be a best practice. In general, you should create apps that describe the application or use case, regardless of what server it's on, then map those to the appropriate servers using Deployment Server.

View solution in original post

Highlighted

Re: Deployment App strategy

Path Finder

So If I am deploying the splunk for windows app for these servers, and using it's input file, would it be best to just add another input file for the other servers, in a separate app, or copy the splunk for windows app, rename it, and modify it's input file... Thanks...

0 Karma