Deployment Architecture

How to handle Custom App deployed to index peers with inputs.conf meant for UF's

jcrosby21
Path Finder

I've created a custom app to get a custom sourcetype. The primary files I created were inputs.conf for the UF (location to monitor, etc.) and props.conf for the index peers to define the parsing of the sourcetype. I'm using the deployment server to push my app to all UF's that should be ingesting data and I had hoped to push the same app via my master node to the index cluster peers.

However, I realized as I did this that I'd be adding my inputs.conf to my index peers. The monitored directory doesn't exist on the indexes, but it is creating another monitoring process isn't it?

I disabled the inputs.conf stanza on my master node's copy of the app folder to resolve this, but long term I'd like to use my deployment server with my master node as a client and deploy the SAME app from my deployment server to both my UF's and my Master Node and then to my Index Peers as described in "Update common peer configurations and apps => use deployment server to distribute the apps to the master":

http://docs.splunk.com/Documentation/Splunk/6.4.0/Indexer/Updatepeerconfigurations#Use_deployment_se...

At that point I have a single copy of my app folder, which needs to have an enabled inputs.conf for the UF's but doesn't need to be pushed to the index peers inputs.conf? Or is it not a problem that the stanza is defined on the indexes? Am I misunderstanding something?

0 Karma

lguinn2
Legend

If the directory does not exist on the indexers, the indexers will still periodically test to see if it has been created. So there is some overhead there, but it is probably quite small. And you should be able to monitor it either using the Distributed Management Console or with custom searches against the _internal index.

I would probably deploy the same app to both indexers and forwarders. Then I would monitor the effect on the indexers; if it is significant, then I would change my plan and have 2 versions of the app, one for the forwarders and one for the indexers. There really should not be much, if any, overlap between the two versions.

jcrosby21
Path Finder

I agree, there's not typically technical overlap between the two "types" of apps - but there is from a functional perspective. Is it uncommon to have both the inputs and the props for a given set of events custom defined in many apps?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...