Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Props and transforms not working deployment server

vijreddy30
Loves-to-Learn Everything
‎01-23-2024 06:56 AM

Hi, 

UF etc/apps/remo/local 

placed the inputs,outputs,props and tranforms configuration files  and search the data in indexer+SearchHead  servers , Events  are received Successfully.

[monitor://E:\KS Application GBR (GR)\sbxLogs\]
index = ks_dev
sourcetype = ks_logs
crcSalt = <SOURCE>

 

[tcpout:bprserver]
server = 1.2.3.4:9997
useACK = true


[ks_logs]
TRANSFORMS--null = EXCLUDE_INFO_WARN_events

[EXCLUDE_INFO_WARN_events]
REGEX = ^[\d|-]*\s[\d|:|,]*\s(INFO|WARN).*$
DEST_KEY = queue
FORMAT = nullQueue

 

Same configuration updated in the deployment server etc\deploymentapps\ksapp\local

[monitor://E:\KS Application GBR (GR)\sbxLogs\]
index = ks_dev
sourcetype = ks_logs
crcSalt = <SOURCE>

[tcpout:bprserver]
server = 1.2 3.4:9997
useACK = true

[ks_logs]
TRANSFORMS--null = EXCLUDE_INFO_WARN_events

[EXCLUDE_INFO_WARN_events]
REGEX = ^[\d|-]*\s[\d|:|,]*\s(INFO|WARN).*$
DEST_KEY = queue
FORMAT = nullQueue

 

Events are receiving  the SH+indexer server

Note: in my account there is no HeavyForwarder instance.

please help how to do configuration in deployment server.

 

 

 

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-25-2024 04:43 AM

If I understand you correctly, you want the settings you defined on your DS to propagate to forwarders across your environment (or at least to some designated UF(s)).

You did the first step correctly - you created an app in etc/deployment-apps (I hope the "deploymentapps" in your description is just a typo). But now you have to define a server class tying app(s) to deployment client(s) and deload deployment server.

See the https://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver document (read thoroughly the pages about creating server classes and deploying apps).

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-25-2024 03:07 AM

Hi

I suppose that you have UF which get its configurations from DS. Then you have distributed SH + Indexer(s), but not any HFs. Is this correct assumption? 

If so you should deploy inputs.conf and outputs.conf to UF from DS, as you probably have done as you will get events into indexer(s). As those trasforms.conf and props.conf didn't work, I assume that. you haven't install those into indexer(s)?

Based on these assumptions, you should create a new app which contains those transforms and props.confs and install it into indexer(s). Then do a restart and check if it's working.

Anyhow you should do this kind on onboarding on separate instance, like your workstation. There just ensure that your configurations are working and then install those into production.

r. Ismo

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-23-2024 07:36 AM

What is it you expect the Deployment Server to do?

A DS has no use for props.conf, transforms.conf, or inputs.conf.  It uses outputs.conf to send its logs to the indexer(s).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...