Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deployment server: How to handle a single add-on with multiple configuration versions?

ikulcsar
Communicator
‎02-21-2018 05:11 AM

Hi,

I have to manage multiple UF agent with a single deployment server.
I have to set up different whitelist/blacklist for different server classes. For example, I have to collect events with different EventID from the DCs and from the other Win servers. So I have to assign the Splunk_TA_windows add-on to ServersClassA and ServerClassB, but with different inputs.conf.

How can I do this? Is it safe to rename the Add-on's directory to Splunk_TA_windows_DC, Splunk_TA_windows_WinSer, etc? This way I can separate the configs.

Regards,
István

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-21-2018 05:51 AM

Do you really need Splunk_TA_Windows on the UFs?

I would check which config you actually need (mostly inputs.conf I guess?) and put that in specific small custom add-ons and deploy that to the relevant UFs.

Even if for some reason you would need Splunk_TA_Windows deployed, you could still do that but keep the custom configuration in separate apps. I wouldn't really recommend using multiple (renamed) copies of the same off-the-shelve TA, that is going to be hard to maintain.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-21-2018 05:51 AM

Do you really need Splunk_TA_Windows on the UFs?

I would check which config you actually need (mostly inputs.conf I guess?) and put that in specific small custom add-ons and deploy that to the relevant UFs.

Even if for some reason you would need Splunk_TA_Windows deployed, you could still do that but keep the custom configuration in separate apps. I wouldn't really recommend using multiple (renamed) copies of the same off-the-shelve TA, that is going to be hard to maintain.

0 Karma
Reply
Solved! Jump to solution

ikulcsar
Communicator
‎02-22-2018 12:33 AM

Hi,

As far as I know, Splunk_TA_Windows contains WinEventLog://* input stanzas. Unfortunately, I don't know Splunk systems in details yet.

So, in general, I can use the default Splunk_TA_Windows on all server, and create some custom add-on with the specific config(inputs.conf) and push them alongside with the default Splunk_TA_Windows add-on?

Regards,
István

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-22-2018 12:57 AM

Yes.

But once more: I don't think you really need the full TA on your UFs, since that TA (apart from the inputs.conf) mostly consists of index time and search time stuff, which your UF won't handle, the TA needs to be on your indexer(s) (or the first HF that exist between your UF and Indexers) and on your search head(s).

0 Karma
Reply
Solved! Jump to solution

ikulcsar
Communicator
‎02-22-2018 01:03 AM

Thank you. I understand it, so far, I was on the safe side, use the whole add-on everywhere, I did not feel the Force in me to select which file needed, which doesn't. (And guide says Install the add-on...)

Regards,
István

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...