All Apps and Add-ons

Where to install Splunk for JMX App in a distributed Splunk Env

micwhite
Explorer

We have a distributed Splunk environment: universal forwarders sending to indexers and dedicated search heads. Where would you install the Splunk for JMX app? Does it need to be split among the various components?

1 Solution

Damien_Dallimor
Ultra Champion

You would need to split out the components of the app:

1) the data collection logic goes on the Splunk UF.

SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local

2) the index definition goes on the Splunk Indexer

SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf

3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)

SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*

Note :

You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app

props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.

View solution in original post

amielke
Communicator

Hi,

the folder bin/boot ist not deployed via Deplayment Server. What ist the problem?

0 Karma

amielke
Communicator

the folder is empty.

0 Karma

Damien_Dallimor
Ultra Champion

You would need to split out the components of the app:

1) the data collection logic goes on the Splunk UF.

SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local

2) the index definition goes on the Splunk Indexer

SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf

3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)

SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*

Note :

You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app

props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.

Damien_Dallimor
Ultra Champion

Yes you are correct, thx 🙂 Forgot I was dealing with a UF in the original question.

0 Karma

_d_
Splunk Employee
Splunk Employee

Damien, if props.conf contains attributes that are used at index time it needs to go either at the indexer OR remain at the forwarder if it is a heavy forwarder.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...