Deployment Architecture
Highlighted

Different configs for Splunk_TA_windows depending on serverclass

Communicator

I need to deploy different configs to sets of deployed SplunkTAwindows apps. I haven't had any luck trying to use the method that works with the *NIX TA of making an app with just the inputs enabled and modified. Can this work, or do people just copy the entire TA and modify it?

Example:

Deploy TA to biz unit A so that WinEventLog:Security is enabled and data goes to index bizA

Deploy TA to biz unit B so that WinEventLog:Security is enabled, all windows filtering platform events are blacklisted, and data goes to index bizB

The important part is not how to specifically do these stanzas, but how to get them picked up by the appropriate clients, preferably without cloning SplunkTAwindows.

0 Karma
Highlighted

Re: Different configs for Splunk_TA_windows depending on serverclass

Motivator

I have done something like that by creating two custom versions of SplunkTAWindows.

Create serverclass unitA
Create serverclass unitB
Copy SplunkTAWindows folder and rename it SplunkTAWindowsunitA
Copy Splunk
TAWindows folder and rename it SplunkTAWindowsunitB

Customize the apps SplunkTAWindowsunitA and SplunkTAWindowsunitB then assign them to the respective serverclass. Once that is done all you need are the appropriate servers added to the serverclasses.

0 Karma
Highlighted

Re: Different configs for Splunk_TA_windows depending on serverclass

Communicator

Thanks for answering! This is my fallback approach, but I would prefer to deploy a pristine SplunkTAwindows and a seperate app as needed for each distinct configuration of it.

0 Karma
Highlighted

Re: Different configs for Splunk_TA_windows depending on serverclass

Motivator

Oh, in that case you you need to consider app precedence, but you still need two distinct server classes to hold two distinct apps that contain only the configuration files & stanzas you want to override.

0 Karma
Highlighted

Re: Different configs for Splunk_TA_windows depending on serverclass

SplunkTrust
SplunkTrust

From our slack chat:

We usually create a set of different apps, one for each EventLog branch we want. So:

DS-all_department-Input-windows_security
DS-all_department-Input-windows_application
DS-all_department-Input-windows_system

And so on.

Then there would be ones for files, like DHCP, DNS, update log and another for scripts. You can then use the serverclasses to mix and match as needed. Atomic apps to create molecular configs.

View solution in original post

Highlighted

Re: Different configs for Splunk_TA_windows depending on serverclass

Path Finder

I understand that approach but do each of those apps E.G. DS-alldepartment-Input-windowssecurity contain the entire folder and file structure of the SplunkTAwindows app. I.E. Are you copying SplunkTAwindows, renaming the directory to DS-alldepartment-Input-windowssecurity and then dropping a custom local/inputs.conf ?

Or does the app DS-alldepartment-Input-windowssecurity just contain the custom local/inputs.conf?

0 Karma
Highlighted

Re: Different configs for Splunk_TA_windows depending on serverclass

SplunkTrust
SplunkTrust

We only include the inputs.conf.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.