All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Cloud - what's the best practice to send logs via unix app to cloud from test and prod servers?

lakshman239
Influencer
‎08-12-2016 04:53 AM

We have a splunk cloud that acts as both test and prod env. I can load the splunk unix and windows add-on to the cloud with splunk support/managed service.
For test env, on the data sources, I can create local/inputs.conf to have index "os_test" and for prod "os_prod". This way the data should be landing in diff indexes in the splunk cloud.

My question is if we deploy the standard unix and windows add-on to the cloud, how do we add the additional os_test and os_prod indexes? will adding indexes via the GUI be sufficient or is there a better practice to manage them in such situations? we would want to add multiple copies of the same app with different indexes, if possible.

Thanks in advance.

0 Karma
Reply

khourihan_splun
Splunk Employee
Splunk Employee
‎08-15-2016 04:20 PM

If you are asking will the app work if you use different index names? in the Unix app, in particular, it uses a macro os_index see below:

alt text

You'd need to add the additional index names into that Macro.

I've not used the *nix app in a while, but looks like you can do some setup using the app's GUI:

alt text

So hopefully you will be able to effect the change that way, but editing the macro is a sure fire way.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

khourihan_splun
Splunk Employee
Splunk Employee
‎08-15-2016 11:57 AM

If the app doesn't have the indexes declared in it (an indexes.conf bundled with it), you will have to create the indexes manually via GUI. You will get an error saying something about an unknown / unconfigured index if you are forwarding to an index that doesn't exist.

0 Karma
Reply

lakshman239
Influencer
‎08-15-2016 12:12 PM

Thanks Khourihan. The default *nix app comes with 'indexes.conf' (e.g. os). Yes, I can add an index via cloud GUI and that should be setup/copied on to indexers.

The question is can I have os_test and os_prod created from GUI, with just one add-on (i.e. Splunk_TA_nix) loaded on to cloud, as opposed to creating multiple copies. Pls let me know, if I am not clear.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-12-2016 05:06 AM

You would need splunk support to create two of the same app but that should be doable too.

I dont believe there is a "best practice" other than what you already have in mind. Two apps, each with it's own 'os_index' macro.

0 Karma
Reply

lakshman239
Influencer
‎08-15-2016 12:10 PM

Thanks Jkat. Let me chk and get back.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...