Deployment Architecture

Different configs for Splunk_TA_windows depending on serverclass

Communicator

I need to deploy different configs to sets of deployed Splunk_TA_windows apps. I haven't had any luck trying to use the method that works with the *NIX TA of making an app with just the inputs enabled and modified. Can this work, or do people just copy the entire TA and modify it?

Example:

Deploy TA to biz unit A so that WinEventLog:Security is enabled and data goes to index bizA

Deploy TA to biz unit B so that WinEventLog:Security is enabled, all windows filtering platform events are blacklisted, and data goes to index bizB

The important part is not how to specifically do these stanzas, but how to get them picked up by the appropriate clients, preferably without cloning Splunk_TA_windows.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

From our slack chat:

We usually create a set of different apps, one for each EventLog branch we want. So:

DS-all_department-Input-windows_security
DS-all_department-Input-windows_application
DS-all_department-Input-windows_system

And so on.

Then there would be ones for files, like DHCP, DNS, update log and another for scripts. You can then use the serverclasses to mix and match as needed. Atomic apps to create molecular configs.

View solution in original post

SplunkTrust
SplunkTrust

From our slack chat:

We usually create a set of different apps, one for each EventLog branch we want. So:

DS-all_department-Input-windows_security
DS-all_department-Input-windows_application
DS-all_department-Input-windows_system

And so on.

Then there would be ones for files, like DHCP, DNS, update log and another for scripts. You can then use the serverclasses to mix and match as needed. Atomic apps to create molecular configs.

View solution in original post

Path Finder

I understand that approach but do each of those apps E.G. DS-all_department-Input-windows_security contain the entire folder and file structure of the Splunk_TA_windows app. I.E. Are you copying Splunk_TA_windows, renaming the directory to DS-all_department-Input-windows_security and then dropping a custom local/inputs.conf ?

Or does the app DS-all_department-Input-windows_security just contain the custom local/inputs.conf?

0 Karma

SplunkTrust
SplunkTrust

We only include the inputs.conf.

0 Karma

Motivator

I have done something like that by creating two custom versions of Splunk_TA_Windows.

Create serverclass unitA
Create serverclass unitB
Copy Splunk_TA_Windows folder and rename it Splunk_TA_Windows_unitA
Copy Splunk_TA_Windows folder and rename it Splunk_TA_Windows_unitB

Customize the apps Splunk_TA_Windows_unitA and Splunk_TA_Windows_unitB then assign them to the respective serverclass. Once that is done all you need are the appropriate servers added to the serverclasses.

0 Karma

Communicator

Thanks for answering! This is my fallback approach, but I would prefer to deploy a pristine Splunk_TA_windows and a seperate app as needed for each distinct configuration of it.

0 Karma

Motivator

Oh, in that case you you need to consider app precedence, but you still need two distinct server classes to hold two distinct apps that contain only the configuration files & stanzas you want to override.

0 Karma