All Apps and Add-ons

Getting specific MS SQL perform on selected hosts

jasonlow
Loves-to-Learn

Hi. With the MS SQL add-on, how would I go about ingesting specific SQL perfmon source types on selected hosts? For instance, ingest perfmon:sqlserverhost:processor from hosts A, B and C. On host D, perfmon:sqlserverhost:processor and perfmon:sqlserverhost:memory. And on every other SQL hosts, ingest all perfmon source types perfmon:sqlserverhost:*.

0 Karma

DavidHourani
Super Champion

Hi @jasonlow,

In order to achieve that you will need to define 3 apps. One for hosts A,B,C. One for host D. And one for the others. For each of these apps you will create the right inputs.conf to read only the perfmon required by that group.
Here's the doc for creating deployment apps :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Updating/Createdeploymentapps

Then from your deployment server you can send the app to the right hosts by creating serverclasses and pushing the apps out.
Here's the doc for deploying apps from the deployment server:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Updating/Useforwardermanagementtomanageapps

Let me know if you need further clarifications.

Cheers,
David

0 Karma

jasonlow
Loves-to-Learn

Hi David. Thanks for helping me get started.

In my example, would I create three instances/copies of the MS SQL add-on, ie. Splunk_TA_microsoft-sqlserver_Grp1, Splunk_TA_microsoft-sqlserver_Grp2, and Splunk_TA_microsoft-sqlserver_Grp3, each with its own inputs.conf?

Or could I achieve the same goal by creating a fourth instance of the MS SQL add-on with the folder structure shown below (with \local but no inputs.conf) pushed out to all SQL hosts:

\Splunk_TA_microsoft-sqlserver
license-eula.txt
license-eula.rtf
app.manifest
README.txt
\lookups
\metadata
\default
\samples
\static
\local
eventtypes.conf
tags.conf
app.conf
sqlserver_dbx2.conf
db_input_templates.conf
eventgen.conf
transforms.conf
(NO inputs.conf)
props.conf
savedsearches.conf
\data

And each SQL host will then get a second app with just the inputs.conf customized with the proper perfmon stanzas:

\Splunk_TA_microsoft-sqlserver_Grp1
\local
inputs.conf

\Splunk_TA_microsoft-sqlserver_Grp2
\local
inputs.conf

\Splunk_TA_microsoft-sqlserver_Grp3
\local
inputs.conf

So each SQL host will get two apps - the complete SQL add-on app and a custom add-on with just inputs.conf. Is the second method do-able and am I making it more complicated than it needs to be?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...