looking for some inspiration or guidelines about namespaces whilst deploying apps from Deployment Server.
I have been selling splunk for about 6 years, and now I will be using Splunk for my new Job. I'm going to follow this convention.
Acme_DC_InfoSec_nix_HWFwd_inputs
Acme_NYC_IT_Win_IntFwd_outputs
Acme_SF_InfoSec_nix_EPFwd_deployclient
Acme_DC_Sales_MAC_HWFwd_limits
While similar to the accepted answer above, I find it easier to see what is/should be deployed where if there is a slightly different order to the parts of the app name.
We create apps based on functionality -- "Internal App for our main webapp cluster" will be the user-facing name of it (functionality to monitor the J2EE stacks that back our production website), but on the back end, I have 3 apps^W^W 6 apps defined:
(See the pattern, and how things would line up in the Deployment Server interface?)
The _data apps contain the index definitions and any index-time extractions (indexes.conf, fields.conf, etc.) This is deployed (via DS) to all of my indexers
The _ui app has search-time configurations-- saved searches, dashboards, search-time extractions, and other things that influence the user interface
The _agent app gets sent via the DS to the relevant forwarders (in this example, it would be deployed to the internal app servers. This contains (basically) 2 pieces: inputs.conf and outputs.conf. What to look for, and where to send it, but sometimes the inputs require a python script or something in .../bin
And of course, you have a test environment, right? 😉
A couple of code-requirements I've found useful in the apps:
webapp_index
instead. Just in case your index needs to be renamed (or the app published)Will you give an example macro and and example search that uses it? I would probably use eventtypes
for this abstraction instead.
sorry for the delay:
defaults/macros.conf
[int_webapp_idx1]
definition= index=the_real_index_name
defaults/savedsearches.conf
[Event count by host last 15 minutes]
search = `int_webapp_idx1`
dispatch.earliest_time = -7d
The macro name gets enclosed in backquotes in the query, which turns that bit of the answer into "code" and mangles my answer
$SPLUNK_HOME/bin/splunk btool --debug check >/dev/null 2>&1
$SPLUNK_HOME/bin/splunk btool --debug inputs list > $SPLUNK_HOME/var/log/splunk/btool_inputs.log
Windows bat:
ECHO OFF
"%SPLUNK_HOME%\bin\splunk" btool --debug check > nul
"%SPLUNK_HOME%\bin\splunk" btool --debug inputs list > "%SPLUNK_HOME%\var\log\splunk\btool_inputs.log"
awesome insight @Colin Humphreys! thanks man!
I have been selling splunk for about 6 years, and now I will be using Splunk for my new Job. I'm going to follow this convention.
Acme_DC_InfoSec_nix_HWFwd_inputs
Acme_NYC_IT_Win_IntFwd_outputs
Acme_SF_InfoSec_nix_EPFwd_deployclient
Acme_DC_Sales_MAC_HWFwd_limits
I have a rule to minimize rate of change when possible, so I would follow a 5 step process.
1) Add NewApp (cp OldApp NewApp)
2) Using the Deployment GUI, map the NewApp to the same set of clients as the OldApp was mapped to
Wait-Verify
3) Remove the OldApp from clients
Wait-Verify
4) Remove the OldApp from the CLI
5) Modify NewApp as needed
On to your next question... If you are moving something from system-local then you are correct. That would be step 4 above - then you would still need a service restart.
If you would like to understand where you are getting configurations from use the btool command.
./splunk cmd btool props list --debug
cheers @williamwar! 2 follow-ups for you: