- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: UF Push and Configuration Files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have data coming in near real-time to a host (Linux) where UF installed on it. It's a new push, objective is to send these events to SPLUNK indexer to view them from search head. Everything on place except I need to put new props.conf, inputs.conf, and transforms.conf files into that server. My question is where and how should I put those configuration files. Create a new folder local under etc/apps/ folder from CLI and copy all these 3 configuration files Or copy all these configuration files into ......etc/system/local folder.....or ....? Any recommendations will be highly appreciated. Thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SplunkDash,
if the Universal Forwarder is already installed and confgured to send data to Indexers and you have only to add a new input, you have to:
if apps are manually deployed to the Forwarder:
- open an inputs.conf in anothe app,
- add a stanza like this:
[monitor:///your_path/your_file.log]
index=your_index
sourcetype=your_sourcetype
disabled=0- restart Splunk on Forwarder.
if instead you deploy apps using the Deployment Server, you have to do the same thing on one inputs.conf that you can find in an app in $SPLUNK_HOME/etc/deployment/apps of the Deployment Server and the nforce app deploy on DS (splunk reload deploy-server)
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @gcusello
What would you recommend between REST API and TCP to send data to Third Party Server. Client doesn't prefer to go with Syslog option. Thank you again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I lost the link I posted yesterday and posted new one. Here is the link:
Send Data from SPLUNK to Third Party Servers - Splunk Community
Thank you so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I submitted a request @ REST API to send Data to Third Party Server - Splunk Community
if you like to participate in that discussion, would be highly appreciated. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much as always. I need to creat a new props due to the complexity of data structure and use cases.
What is the best way to creat a new dedicated app from CLI…it’s a completely new push. Can I creat a new app folder from CLI and copy the content of any existing app there and modify its props and inputs configuration files? Thank you so much again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SplunkDash,
you can use the approach you like and you better know.
I usually create an app by CLI and manually create the folders and the files.
If you want to be more sure, you could use the App builder App on your Splunk Enterprise to check this TA bfore deploying it.
There's only one point of attention I'd highlight: if you have to deploy this app to Linux targets, don't create it on Windows because there could be permissions issues.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that might be the smartest approach. Let me try this, thank you so much, appreciate your support in these efforts as always.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SplunkDash
yes the best pratices are create a small app to put your configuration.
be careful props and trasforms doesn't works on the UF, if you want use that file you have to install HF.
Regards
Alessandro
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you so much for your quick reaponse....oh ok ..yes agree ..need to have HF....one question, how I would create new app from CLI.... go to the /etc/apps folder, then.........mkdir NewappName, and then under that mkdir local, and then copy all configuration files under local folder. Your recommendation will be highly appreciated. Thank you so much again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @SplunkDash
there are many ways to manage this
first one:
use a deployment server (reccomended)
go on the /opt/splunk/etc/deployment-apps/ and create your small app
mkdir -p small_app/local
and put your conf file on the local folder
go on the deployment server web interface and crate a class server to push your new app.
connect in ssh on the HF and create a small app (not reccomended)
quick tip
if you are not familiar with the cli you can use this app to manage conf by UI
https://splunkbase.splunk.com/app/4353/
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much again: let me try your this recommendation and get back to you.
use a deployment server (reccomended)
go on the /opt/splunk/etc/deployment-apps/ and create your small app
mkdir -p small_app/local
and put your conf file on the local folder
Thank you!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
