I am starting to play with the deployment server. If we already have an app created with an index setup, would it just be a matter of adding the new log files to the application index, or would I need to create a new index under the application?
I don't really understand your question, so let me try to clarify a bit:
The configuration for an index is stored in indexes.conf. An application (we usually just say "app") may contain the indexes.conf file
The actual index is not stored in the app. It can be stored anywhere.
Access to an index is defined by the role of the Splunk user, not the app itself. An index can be accessed from any app, if the user's role permits access.
So the definition of an index is part of an app, but the actual index is not part of any app. You can think of the actual index as "global" in a way.
Finally, we don't usually say "add new log files to an index." Instead, we are defining new inputs (in inputs.conf). This definition specifies what log files will be monitored and the index where the data will be stored. And the inputs.conf file may be part of an app.
I know this seems picky, but I find that being clear about these things can be very helpful.
Now - exactly what are you trying to do with the Deployment Server? I assume that you have an app that you want to deploy, and that the app will contain inputs.conf. If the inputs are all sent to an existing index (main for example), then the app does not need to specify the index. In fact, the app should not.
But if the inputs.conf in the app is referring to a new index (perhaps one that is created specifically to hold the data collected by this app), then the indexes.conf should be included in the app.
Sorry for the confusion and thank you for the clarifications. The way we are setup our apps contain indexesI what I was trying to ask was if a users is requesting that new log files be sent to a previously created index, how do I go about finding the particular index and how do I point the log files to the index.
We also have forwarder manager.