Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Props and transforms not working deployment server

vijreddy30
Loves-to-Learn Everything
‎01-23-2024 06:56 AM

Hi, 

UF etc/apps/remo/local 

placed the inputs,outputs,props and tranforms configuration files  and search the data in indexer+SearchHead  servers , Events  are received Successfully.

[monitor://E:\KS Application GBR (GR)\sbxLogs\]
index = ks_dev
sourcetype = ks_logs
crcSalt = <SOURCE>

 

[tcpout:bprserver]
server = 1.2.3.4:9997
useACK = true


[ks_logs]
TRANSFORMS--null = EXCLUDE_INFO_WARN_events

[EXCLUDE_INFO_WARN_events]
REGEX = ^[\d|-]*\s[\d|:|,]*\s(INFO|WARN).*$
DEST_KEY = queue
FORMAT = nullQueue

 

Same configuration updated in the deployment server etc\deploymentapps\ksapp\local

[monitor://E:\KS Application GBR (GR)\sbxLogs\]
index = ks_dev
sourcetype = ks_logs
crcSalt = <SOURCE>

[tcpout:bprserver]
server = 1.2 3.4:9997
useACK = true

[ks_logs]
TRANSFORMS--null = EXCLUDE_INFO_WARN_events

[EXCLUDE_INFO_WARN_events]
REGEX = ^[\d|-]*\s[\d|:|,]*\s(INFO|WARN).*$
DEST_KEY = queue
FORMAT = nullQueue

 

Events are receiving  the SH+indexer server

Note: in my account there is no HeavyForwarder instance.

please help how to do configuration in deployment server.

 

 

 

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-25-2024 04:43 AM

If I understand you correctly, you want the settings you defined on your DS to propagate to forwarders across your environment (or at least to some designated UF(s)).

You did the first step correctly - you created an app in etc/deployment-apps (I hope the "deploymentapps" in your description is just a typo). But now you have to define a server class tying app(s) to deployment client(s) and deload deployment server.

See the https://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver document (read thoroughly the pages about creating server classes and deploying apps).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-25-2024 03:07 AM

Hi

I suppose that you have UF which get its configurations from DS. Then you have distributed SH + Indexer(s), but not any HFs. Is this correct assumption? 

If so you should deploy inputs.conf and outputs.conf to UF from DS, as you probably have done as you will get events into indexer(s). As those trasforms.conf and props.conf didn't work, I assume that. you haven't install those into indexer(s)?

Based on these assumptions, you should create a new app which contains those transforms and props.confs and install it into indexer(s). Then do a restart and check if it's working.

Anyhow you should do this kind on onboarding on separate instance, like your workstation. There just ensure that your configurations are working and then install those into production.

r. Ismo

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2024 07:36 AM

What is it you expect the Deployment Server to do?

A DS has no use for props.conf, transforms.conf, or inputs.conf.  It uses outputs.conf to send its logs to the indexer(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...