All Apps and Add-ons

Splunk App for WIndows with multiple indexes

bkcarter
Path Finder

My scenario has a Splunk indexer (linux) that receives feeds from several heavy forwarder across a multi-company network.

Each Heavy forwarder resides in a subsidiary network and acts as the receiving point from Universal forwarders in that network.

There is a mix of Windows and Linux across all forwarder levels.

I am also using a Windows based Search Head for running the searches.

Each subsidiary company has it's own index, and we are set up with different user views for the different indexes. Both Linux and Windows data go into the same index as well as firewall logs, etc.

Company A personnel can see their index and all of the data within it. Company B can see theirs, etc.

My question: Is it possible to set up the Windows App to forward the data into the index depending on the forwarder it came from? I know this can be done, but I am looking for guidance on the best actual way to accomplish it.

Right now I have the Windows App installed on the Search head only.

Any guidance would be appreciated immensely!

0 Karma

lukejadamec
Super Champion

No.

This sort of thing should be done on each forwarder via the deployment server.

Set the inputs.conf default stanza to point to the correct index for the Windows forwarders:

index=desiredIndex

And remove index specifications from individual input stanzas that you wish to control from the deployed App's inputs.conf as necessary (make the change once and control them all!!!).

In your case, it would probably make things a lot simpler to create a separate deployment server on each primary heavy forwarder to manage that particular network.

0 Karma

lukejadamec
Super Champion

The app goes into the etc/deployment apps folder. Example: etc/deployment apps/TA_Windows
Add the app to the etc/system/local/serverclass.conf file. Example:
squarebracket serverClass:enter the serverclass name that you use to deploy the custom inputs.conf:app:TA_Windows squarebracket
stateOnClient = enabled
restartSplunkd = true
This will send out the app to your server class, just like your custom inputs.conf. If you have multiple server classes that require custom TA_Windows app configurations, then create a copy for each, and change the app name so it is different for each class.

0 Karma

bkcarter
Path Finder

That makes sense.

I already have a deployment server that manages all of the forwarders from a central location. I also have the input stanzas on all of the forwarders already set up to send the Windows Events and Performance info to the index. These are stanzas that I built from scratch, not from the app.

I am not using WMI but perfmon to get performance data from each forwarder (both types).

So how do I "deploy" the app via the deployment server to the forwarders. I have tried this before and it always confuses me.

What do I put where?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...