All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deployment App strategy

trross33
Path Finder
‎05-26-2011 01:47 PM

Would anyone have advice on the following?

I am deploying the splunk Universal forwarder in a mixed windows environment. I have some IIS servers, some 2003 servers, some 2008 servers, and a few other applications as well.

When configuring deployment apps to be sent to the universal forwarder on these servers, is it best to configure a separate app for each "type" of server. For example,

  1. Have a blanket/generic app that deploys to all windows servers, which collects generic data that I would want to collect on all windows servers.
  2. Create a separate app for IIS servers, which will collect the IIS log that doesn't exist on every server.
  3. Blacklist the IIS servers from the blanket/generic app.

-OR-

Would it be best to just deploy one app to all windows servers, including the collection for the IIS log. I'm assuming it will only generate an error that the log cannot be found...

I'm just curious as to how granular a person should get, or if granularizing for this purpose is just management overhead with little benefit.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-26-2011 04:49 PM

I would create:

  • one app for base Windows OS data
  • one app for IIS application, just specifying collection of IIS data
  • one more app for each other type of application with a distinct set of data and properties (if any, e.g., if someday you monitor Exchange, or MSSQL, or whatever)

First, whitelist/list all Windows servers into a class for the first app. Then, whitelist all IIS servers for the second app in a different class, and so on for each app.

The inputs will layer on top of each other, so it's fine to have a server whitelist into multiple apps.

This approach allows you to change and manage according to the application or use case, rather than according to sets of servers. This would be a best practice. In general, you should create apps that describe the application or use case, regardless of what server it's on, then map those to the appropriate servers using Deployment Server.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-26-2011 04:49 PM

I would create:

  • one app for base Windows OS data
  • one app for IIS application, just specifying collection of IIS data
  • one more app for each other type of application with a distinct set of data and properties (if any, e.g., if someday you monitor Exchange, or MSSQL, or whatever)

First, whitelist/list all Windows servers into a class for the first app. Then, whitelist all IIS servers for the second app in a different class, and so on for each app.

The inputs will layer on top of each other, so it's fine to have a server whitelist into multiple apps.

This approach allows you to change and manage according to the application or use case, rather than according to sets of servers. This would be a best practice. In general, you should create apps that describe the application or use case, regardless of what server it's on, then map those to the appropriate servers using Deployment Server.

Reply
Solved! Jump to solution

trross33
Path Finder
‎05-27-2011 06:52 AM

So If I am deploying the splunk for windows app for these servers, and using it's input file, would it be best to just add another input file for the other servers, in a separate app, or copy the splunk for windows app, rename it, and modify it's input file... Thanks...

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎05-26-2011 04:32 PM

trross33,

I would personally recommend creating a "base" deployment application which has a common set of inputs for data you want to collect across the environment. From there you can create specific deployment applications which address inputs on a per server type basis. In the example above the IIS server would get both the "win_base" input app and the "iis" input app. An exchange server might get the "win_base" input app and the "exchange" input app.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...