All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to deploy windows TA over different environment / indexes

sassens1
Path Finder
‎04-03-2017 09:59 AM

Hello,

I plan to deploy windows TA to collect logs on AD and perhaps other windows servers/hosts as well.
However I already have different indexes for different environments so I don't want to use the default ones (windows,wineventlog, perfmon).
I use a deployment server and I'd like to find the best approach to do so.
So far I'm thinking about creating multiple version of the windows TA (i.e. 1 for each env) with a local inputs.conf file with the index name to be deployed on the UF.
I will deploy the original TA version on all my search heads+indexers.

what do you think? any other idea?
thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

beatus
Communicator
‎04-03-2017 10:45 AM

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

Reply
Solved! Jump to solution
Solution

beatus
Communicator
‎04-03-2017 10:45 AM

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

Reply
Solved! Jump to solution

sassens1
Path Finder
‎04-07-2017 12:07 AM

Hi,

thanks for this answer It helped a lot.
so If I got you right what you propose is to deploy from my DS:
- TA_Windows (by default no input enabled)
- IA_Windows (created with inputs I want to collect from all sites )
and for each site/environment:
- IA_Windows_SiteX_PROD
- IA_Windows_SiteX_LAB

I think I'll use only specialized IA_windows_xxx because I want to send logs for each site to a specific index and moreover I don't want each site to know what is collected from all systems everywhere else.
it sounds quite manageable on a long term basis with a dozen of sites and 2 environment I'll have 24 specialized IA max.

0 Karma
Reply
Solved! Jump to solution

beatus
Communicator
‎04-07-2017 05:34 AM

Yeah, that sounds good to me.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...