Deployment Architecture

Deployment Server - How to deploy same app with different configs based on Classes?

att35
Builder

Hi,

We have all our forwarders connected to the Deployment Server. One of the first apps we would like to deploy is the Splunk_TA_windows add-on. We have the app configured with all the common input settings but our Domain Controllers have an additional WinEventLog source for which inputs.conf needs to be adjusted.

e.g. inputs.conf that is applicable for all Windows Servers will have

[WinEventLog://A]
[WinEventLog://B]
[WinEventLog://C]

But there is an additional input D only on Domain Controllers so inputs.conf there should look like:

[WinEventLog://A]
[WinEventLog://B]
[WinEventLog://C]
[WinEventLog://D]

We cant deploy the same app everywhere because for most of the servers, source D does not exist. What is the best way forward?

Should we create a copy of this same app named Splunk_TA_windows_DC and make changes there? So All member servers get Splunk_TA_windows and all Domain Controllers get Splunk_TA_windows_DC. If we do this, are there any special files to be edited apart from just renaming the folder?

Or is it better to create a brand new app just for this one additional input and have it deployed to Domain Controller Class along with the default Splunk_TA_windows?

Thanks,

~ Abhi

0 Karma

CarsonZa
Contributor

renaming the TA is exactly what i did. So in my case i have a ta_windows_endpoints and a ta_windows_servers. Create your separate server classes and then reload the deployment server configs using:

https://<yourserver>:8089/services/deployment/server/config/_reload

Not saying this is the best way, but it certainly works for me.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...