All Apps and Add-ons

Where to install Splunk for JMX App in a distributed Splunk Env

Explorer

We have a distributed Splunk environment: universal forwarders sending to indexers and dedicated search heads. Where would you install the Splunk for JMX app? Does it need to be split among the various components?

1 Solution

Ultra Champion

You would need to split out the components of the app:

1) the data collection logic goes on the Splunk UF.

SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local

2) the index definition goes on the Splunk Indexer

SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf

3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)

SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*

Note :

You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app

props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.

View solution in original post

Communicator

Hi,

the folder bin/boot ist not deployed via Deplayment Server. What ist the problem?

0 Karma

Communicator

the folder is empty.

0 Karma

Ultra Champion

You would need to split out the components of the app:

1) the data collection logic goes on the Splunk UF.

SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local

2) the index definition goes on the Splunk Indexer

SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf

3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)

SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*

Note :

You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app

props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.

View solution in original post

Ultra Champion

Yes you are correct, thx 🙂 Forgot I was dealing with a UF in the original question.

0 Karma

Splunk Employee
Splunk Employee

Damien, if props.conf contains attributes that are used at index time it needs to go either at the indexer OR remain at the forwarder if it is a heavy forwarder.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!