All Apps and Add-ons

Is it possible to package an app of indexes, reports, and dashboards & a deployment-app for forwarders into one Splunk App?

anupjishnu
Path Finder

I have created SPL package which installs the needed indexes, reports, & dashboards - all what falls under the App folder in structure below. However, our project also includes configurations sent to forwarders. Question is, Can we (if yes, how) we package these deployment-app apps & configurations that we need to send to forwarders in same SPL file?

$SPLUNK_HOME
     Etc
          App
               MyApp
                    Appserver
                         static
                              *.css
                    Bin
                    Default
                         *.conf
                         data
                              ui
                                   views
                                        *.xml
                    Local
                    Lookups
                         *.csv
                    Static
                         *.png

          Deployment-apps
               MyApp_dbextracts
                    local
                         *.conf
               MyApp_dfinputs
                    local
                         *.conf
               MyApp_forwarderoutputs
                    local
                         *.conf
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You can package all of these in one app and distribute the app. You do need to be aware that the indexes.conf, inputs.conf, and outputs.conf will be applied on all instances this is installed on and how this can effect behaviour of the instance.

In line with best practices, I would recommend breaking out the knowledge objects (dashboards, searches, extractions, lookups, dashboards etc) and the indexes as a distinct app. (The index configuration we include in the SH anyways so that we can autocomplete the index name in searches.)

The inputs and outputs, I would break these out into separate apps also. Typically your outputs will be a global app, and your inputs are specific to the inputs. E.g., myorg_oracledb_inputs/.

0 Karma

anupjishnu
Path Finder

I agree with your points. Question is, why to create separate apps when there is only one Search Head (that is combined with Deployment Server) and two indexers? Having a single deployment app will make it much easier to manage and deploy the app. After all, all this belong to the same app, so having multiple installs for the same app and all of which will be installed on the same box, is sort of counter intuitive.

0 Karma

FritzWittwer_ol
Contributor

Usually you will use two apps, one for the indexer and search head and a second one, often called TA_xxx which gets only loaded on the forwarder.

0 Karma

anupjishnu
Path Finder

What you are referring to, I guess, does not use Deployment Server. Most companies make use of Deployment Server to manage which forwarders get what configurations.

0 Karma

anupjishnu
Path Finder

Both Deployment Server and Search Head are on the same server.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The forwarder configuration will go to Search Head as well??

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...