My scenario has a Splunk indexer (linux) that receives feeds from several heavy forwarder across a multi-company network.
Each Heavy forwarder resides in a subsidiary network and acts as the receiving point from Universal forwarders in that network.
There is a mix of Windows and Linux across all forwarder levels.
I am also using a Windows based Search Head for running the searches.
Each subsidiary company has it's own index, and we are set up with different user views for the different indexes. Both Linux and Windows data go into the same index as well as firewall logs, etc.
Company A personnel can see their index and all of the data within it. Company B can see theirs, etc.
My question: Is it possible to set up the Windows App to forward the data into the index depending on the forwarder it came from? I know this can be done, but I am looking for guidance on the best actual way to accomplish it.
Right now I have the Windows App installed on the Search head only.
The app goes into the etc/deployment apps folder. Example: etc/deployment apps/TA_Windows
Add the app to the etc/system/local/serverclass.conf file. Example:
squarebracket serverClass:enter the serverclass name that you use to deploy the custom inputs.conf:app:TA_Windows squarebracket
stateOnClient = enabled
restartSplunkd = true
This will send out the app to your server class, just like your custom inputs.conf. If you have multiple server classes that require custom TA_Windows app configurations, then create a copy for each, and change the app name so it is different for each class.
I already have a deployment server that manages all of the forwarders from a central location. I also have the input stanzas on all of the forwarders already set up to send the Windows Events and Performance info to the index. These are stanzas that I built from scratch, not from the app.
I am not using WMI but perfmon to get performance data from each forwarder (both types).
So how do I "deploy" the app via the deployment server to the forwarders. I have tried this before and it always confuses me.