We have a distributed Splunk environment: universal forwarders sending to indexers and dedicated search heads. Where would you install the Splunk for JMX app? Does it need to be split among the various components?
You would need to split out the components of the app:
1) the data collection logic goes on the Splunk UF.
SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local
2) the index definition goes on the Splunk Indexer
SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*
Note :
You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app
props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.
Hi,
the folder bin/boot ist not deployed via Deplayment Server. What ist the problem?
the folder is empty.
You would need to split out the components of the app:
1) the data collection logic goes on the Splunk UF.
SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local
2) the index definition goes on the Splunk Indexer
SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*
Note :
You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app
props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.
Yes you are correct, thx 🙂 Forgot I was dealing with a UF in the original question.
Damien, if props.conf contains attributes that are used at index time it needs to go either at the indexer OR remain at the forwarder if it is a heavy forwarder.