Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge two apps in deployment server

gnanaraj_mcc
Loves-to-Learn Lots
‎06-02-2016 06:27 AM

I am looking for some help in managing apps using the deployment server. Here is the case.
I have two different apps, sending two different logs from the same set of servers. The index and sourcetype are the same. They use the same server class.

App 1: 

monitor://G:\Logfiles\subdir1\*.log
monitor://G:\Logfiles\subdir2\*.log

App2

monitor://G:\Logfiles\subdir3\*.log
monitor://G:\Logfiles\subdir4\*.log

Now I have a new requirement to send the all the logs from all the sub directories. There are close to 250 sub directories 

monitor://G:\Logfiles\*\*.log

How to do I achieve this?
• Should I disable App1 and App2, create new app to monitor://G:\Logfiles\*\*.log. if yes, how to disable app
• Should I delete App1 and App2, create new app to monitor://G:\Logfiles\*\*.log
• Keep App1 and App2 as it is and create new app to monitor://G:\Logfiles\*\*.log. Will this cause events duplicating
• Keep App1 and App2 as it is and create new app to monitor://G:\Logfiles\*\*.log excluding the subdir1, subdir2, subdir3 and subdir4
Any other ways of doing this?

0 Karma
Reply

somesoni2
Revered Legend
‎06-02-2016 08:51 AM

Go with option 2 - remove app1 and app2 from that serverclass and add app3 with new wildcarded input stanza.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-02-2016 08:38 AM

I would create a new app (we will call it app3), merge the inputs from both app1 and app2, then uninstall app1 and app2 via deployment server's UI by removing it from the server classes, and then deploy app3. You can use a tool like notepad++ with the "compare" plugin to compare both inputs.conf and merge between the two.

monitor://G:\Logfiles**.log will not work, should be
monitor://G:\Logfiles...*.log

but even that I would recommend against as it may create a large CPU overhead of the splunkd process.

Would be best to just merge the stanzas from each app into a new inputs.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...