Deployment Architecture

How to handle Custom App deployed to index peers with inputs.conf meant for UF's

jcrosby21
Path Finder

I've created a custom app to get a custom sourcetype. The primary files I created were inputs.conf for the UF (location to monitor, etc.) and props.conf for the index peers to define the parsing of the sourcetype. I'm using the deployment server to push my app to all UF's that should be ingesting data and I had hoped to push the same app via my master node to the index cluster peers.

However, I realized as I did this that I'd be adding my inputs.conf to my index peers. The monitored directory doesn't exist on the indexes, but it is creating another monitoring process isn't it?

I disabled the inputs.conf stanza on my master node's copy of the app folder to resolve this, but long term I'd like to use my deployment server with my master node as a client and deploy the SAME app from my deployment server to both my UF's and my Master Node and then to my Index Peers as described in "Update common peer configurations and apps => use deployment server to distribute the apps to the master":

http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Updatepeerconfigurations#Use_deployment_se...

At that point I have a single copy of my app folder, which needs to have an enabled inputs.conf for the UF's but doesn't need to be pushed to the index peers inputs.conf? Or is it not a problem that the stanza is defined on the indexes? Am I misunderstanding something?

0 Karma

lguinn2
Legend

If the directory does not exist on the indexers, the indexers will still periodically test to see if it has been created. So there is some overhead there, but it is probably quite small. And you should be able to monitor it either using the Distributed Management Console or with custom searches against the _internal index.

I would probably deploy the same app to both indexers and forwarders. Then I would monitor the effect on the indexers; if it is significant, then I would change my plan and have 2 versions of the app, one for the forwarders and one for the indexers. There really should not be much, if any, overlap between the two versions.

jcrosby21
Path Finder

I agree, there's not typically technical overlap between the two "types" of apps - but there is from a functional perspective. Is it uncommon to have both the inputs and the props for a given set of events custom defined in many apps?

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...