I need to deploy different configs to sets of deployed SplunkTAwindows apps. I haven't had any luck trying to use the method that works with the *NIX TA of making an app with just the inputs enabled and modified. Can this work, or do people just copy the entire TA and modify it?
Deploy TA to biz unit A so that WinEventLog:Security is enabled and data goes to index bizA
Deploy TA to biz unit B so that WinEventLog:Security is enabled, all windows filtering platform events are blacklisted, and data goes to index bizB
The important part is not how to specifically do these stanzas, but how to get them picked up by the appropriate clients, preferably without cloning SplunkTAwindows.
I have done something like that by creating two custom versions of SplunkTAWindows.
Create serverclass unitA
Create serverclass unitB
Copy SplunkTAWindows folder and rename it SplunkTAWindowsunitA
Copy SplunkTAWindows folder and rename it SplunkTAWindowsunitB
Customize the apps SplunkTAWindowsunitA and SplunkTAWindowsunitB then assign them to the respective serverclass. Once that is done all you need are the appropriate servers added to the serverclasses.
Thanks for answering! This is my fallback approach, but I would prefer to deploy a pristine SplunkTAwindows and a seperate app as needed for each distinct configuration of it.
Oh, in that case you you need to consider app precedence, but you still need two distinct server classes to hold two distinct apps that contain only the configuration files & stanzas you want to override.
From our slack chat:
We usually create a set of different apps, one for each EventLog branch we want. So:
DS-all_department-Input-windows_security DS-all_department-Input-windows_application DS-all_department-Input-windows_system
And so on.
Then there would be ones for files, like DHCP, DNS, update log and another for scripts. You can then use the serverclasses to mix and match as needed. Atomic apps to create molecular configs.
I understand that approach but do each of those apps E.G. DS-alldepartment-Input-windowssecurity contain the entire folder and file structure of the SplunkTAwindows app. I.E. Are you copying SplunkTAwindows, renaming the directory to DS-alldepartment-Input-windowssecurity and then dropping a custom local/inputs.conf ?
Or does the app DS-alldepartment-Input-windowssecurity just contain the custom local/inputs.conf?