Hello,
I have data coming in near real-time to a host (Linux) where UF installed on it. It's a new push, objective is to send these events to SPLUNK indexer to view them from search head. Everything on place except I need to put new props.conf, inputs.conf, and transforms.conf files into that server. My question is where and how should I put those configuration files. Create a new folder local under etc/apps/ folder from CLI and copy all these 3 configuration files Or copy all these configuration files into ......etc/system/local folder.....or ....? Any recommendations will be highly appreciated. Thank you so much.
Hi @SplunkDash,
if the Universal Forwarder is already installed and confgured to send data to Indexers and you have only to add a new input, you have to:
if apps are manually deployed to the Forwarder:
[monitor:///your_path/your_file.log]
index=your_index
sourcetype=your_sourcetype
disabled=0
if instead you deploy apps using the Deployment Server, you have to do the same thing on one inputs.conf that you can find in an app in $SPLUNK_HOME/etc/deployment/apps of the Deployment Server and the nforce app deploy on DS (splunk reload deploy-server)
Ciao.
Giuseppe
Hey @gcusello
What would you recommend between REST API and TCP to send data to Third Party Server. Client doesn't prefer to go with Syslog option. Thank you again.
I lost the link I posted yesterday and posted new one. Here is the link:
Send Data from SPLUNK to Third Party Servers - Splunk Community
Thank you so much!
I submitted a request @ REST API to send Data to Third Party Server - Splunk Community
if you like to participate in that discussion, would be highly appreciated. Thank you!
Thank you so much as always. I need to creat a new props due to the complexity of data structure and use cases.
What is the best way to creat a new dedicated app from CLI…it’s a completely new push. Can I creat a new app folder from CLI and copy the content of any existing app there and modify its props and inputs configuration files? Thank you so much again.
Hi @SplunkDash,
you can use the approach you like and you better know.
I usually create an app by CLI and manually create the folders and the files.
If you want to be more sure, you could use the App builder App on your Splunk Enterprise to check this TA bfore deploying it.
There's only one point of attention I'd highlight: if you have to deploy this app to Linux targets, don't create it on Windows because there could be permissions issues.
Ciao.
Giuseppe
I think that might be the smartest approach. Let me try this, thank you so much, appreciate your support in these efforts as always.
Hi @SplunkDash
yes the best pratices are create a small app to put your configuration.
be careful props and trasforms doesn't works on the UF, if you want use that file you have to install HF.
Regards
Alessandro
Hello,
Thank you so much for your quick reaponse....oh ok ..yes agree ..need to have HF....one question, how I would create new app from CLI.... go to the /etc/apps folder, then.........mkdir NewappName, and then under that mkdir local, and then copy all configuration files under local folder. Your recommendation will be highly appreciated. Thank you so much again.
Hi @SplunkDash
there are many ways to manage this
first one:
use a deployment server (reccomended)
go on the /opt/splunk/etc/deployment-apps/ and create your small app
mkdir -p small_app/local
and put your conf file on the local folder
go on the deployment server web interface and crate a class server to push your new app.
connect in ssh on the HF and create a small app (not reccomended)
quick tip
if you are not familiar with the cli you can use this app to manage conf by UI
https://splunkbase.splunk.com/app/4353/
Regards
Thank you so much again: let me try your this recommendation and get back to you.
use a deployment server (reccomended)
go on the /opt/splunk/etc/deployment-apps/ and create your small app
mkdir -p small_app/local
and put your conf file on the local folder
Thank you!