I am having trouble understanding/implementing the concept of deployments servers and how the deployment clients send data to the indexes.
On the Deployment Server Web when you go into add data you select clients/create server class etc. This gets saved in the deployment apps folder with all the .conf files. Then then reload deploy server. I understand that much.
What I don't understand and My question is when we are in the Deployment Server Web setting up a new data input. After we select our clients and server classes, we also can choose the index.
This confuses me because The deployment server doesn't store index's right?
Do we pre configure the indexes on the indexer before we set up a deployment server or when we select the 'create new index' from the Deployment Server Web. when we push this out to our deployment clients, will this create the newly created index, on the indexer?
hope this makes sense.
thank you all
You ALWAYS configure the Indexes on the indexer(s) before doing anything with the Deployment Server to set up inputs from the forwarders/clients. If you do not do this, you will start getting errors on the Indexers about events being sent to it that are set for an unknown index. So... before you configure the DS to tell the forwarders to send to the new index, make sure that you have configured the new index on the indexers, so that it/they are ready to receive from the endpoints.
You CAN SAY that you WANT to set up an index from the Deployment Server, BUT you are only telling the endpont forwarder to create the input and send it to the nominated NEW index on the indexers. If you create the new index on the DS, It WILL create the index on the DS, but this would be redundant, as the DS will not receive the data, as you are forwarding to the indexer(s).
Why should we be able to get the DS to create an index on itself? Well, this is valid functionality in the case where there is just one Splunk server, fulfilling all of the roles, as it is an Indexer in that case.
Thank you very much BlueSocket! I was confusing myself and you helped clear things up perfectly. Deployment sever is now working and clients are now sending data the newly created indexes!
You can do whatever you like from the Search Head GUI of the Deployment Server but NONE of it will be deployable because everything done in the GUi will be saved into
$SPLUNK_HOME/etc/apps/. Apps are deployable when they are put into
$SPLUNK_HOME/etc/deployment-apps/ and this move can only be done from the CLI (or perhaps from the REST API).