I have created SPL package which installs the needed indexes, reports, & dashboards - all what falls under the App folder in structure below. However, our project also includes configurations sent to forwarders. Question is, Can we (if yes, how) we package these deployment-app apps & configurations that we need to send to forwarders in same SPL file?
$SPLUNK_HOME Etc App MyApp Appserver static *.css Bin Default *.conf data ui views *.xml Local Lookups *.csv Static *.png Deployment-apps MyApp_dbextracts local *.conf MyApp_dfinputs local *.conf MyApp_forwarderoutputs local *.conf
You can package all of these in one app and distribute the app. You do need to be aware that the indexes.conf, inputs.conf, and outputs.conf will be applied on all instances this is installed on and how this can effect behaviour of the instance.
In line with best practices, I would recommend breaking out the knowledge objects (dashboards, searches, extractions, lookups, dashboards etc) and the indexes as a distinct app. (The index configuration we include in the SH anyways so that we can autocomplete the index name in searches.)
The inputs and outputs, I would break these out into separate apps also. Typically your outputs will be a global app, and your inputs are specific to the inputs. E.g., myorg_oracledb_inputs/.
I agree with your points. Question is, why to create separate apps when there is only one Search Head (that is combined with Deployment Server) and two indexers? Having a single deployment app will make it much easier to manage and deploy the app. After all, all this belong to the same app, so having multiple installs for the same app and all of which will be installed on the same box, is sort of counter intuitive.