All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to deploy windows TA over different environment / indexes

sassens1
Path Finder
‎04-03-2017 09:59 AM

Hello,

I plan to deploy windows TA to collect logs on AD and perhaps other windows servers/hosts as well.
However I already have different indexes for different environments so I don't want to use the default ones (windows,wineventlog, perfmon).
I use a deployment server and I'd like to find the best approach to do so.
So far I'm thinking about creating multiple version of the windows TA (i.e. 1 for each env) with a local inputs.conf file with the index name to be deployed on the UF.
I will deploy the original TA version on all my search heads+indexers.

what do you think? any other idea?
thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

beatus
Communicator
‎04-03-2017 10:45 AM

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

Reply
Solved! Jump to solution
Solution

beatus
Communicator
‎04-03-2017 10:45 AM

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

Reply
Solved! Jump to solution

sassens1
Path Finder
‎04-07-2017 12:07 AM

Hi,

thanks for this answer It helped a lot.
so If I got you right what you propose is to deploy from my DS:
- TA_Windows (by default no input enabled)
- IA_Windows (created with inputs I want to collect from all sites )
and for each site/environment:
- IA_Windows_SiteX_PROD
- IA_Windows_SiteX_LAB

I think I'll use only specialized IA_windows_xxx because I want to send logs for each site to a specific index and moreover I don't want each site to know what is collected from all systems everywhere else.
it sounds quite manageable on a long term basis with a dozen of sites and 2 environment I'll have 24 specialized IA max.

0 Karma
Reply
Solved! Jump to solution

beatus
Communicator
‎04-07-2017 05:34 AM

Yeah, that sounds good to me.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...