Deployment Architecture

Use a different Index based on a server class

mjeanrichard
Explorer

Hi

I would like to use a different Index for each of my environments (Production, Preproduction, Test, etc) and use the deployment server. Can I somehow split the configuration that describes what I want to monitor and in what index it should be saved? So that I can have an app for each environment that just specifies the indexes to be used and another app that specifies what is indexed (independent of the environment)?

The solution that I came up with so far is to create one app per environment and data class (e.g. test_iis, test_win, prod_iis, prod_win).

Thanks for your help.

Tags (1)
0 Karma
1 Solution

PPape
Contributor

Yes you can deploy an input app that is all the same for all enviroments. And than you can deploy a specific app with an inputs.conf where the index= [index Name] parameter is set under the same stanza. please make sure that the index= parameter is not set in your all enviroment app.

View solution in original post

0 Karma

somesoni2
Revered Legend

The inputs.conf entry for monitoring data does allow you to specify the which index the monitored data will go, so all you need to do is to have a separate inputs.conf pointing to different indexes for each environment. You already have separate app for each environment, all you need now is to ensure the inputs.conf under each app is pointing to appropriate index.

0 Karma

PPape
Contributor

Yes you can deploy an input app that is all the same for all enviroments. And than you can deploy a specific app with an inputs.conf where the index= [index Name] parameter is set under the same stanza. please make sure that the index= parameter is not set in your all enviroment app.

0 Karma

mjeanrichard
Explorer

Thanks for your help.

That reduces the configs a little, but still I have to redeclare all the stanzas (there are about 20 different monitor stanzas) for every environment. That means that every time I add a monitor I have to update all the environment specific inputs.config as well.

What happens if I configure a stanza in the index app, but not in the environment app. I think the monitors are enabled by default? What if the Monitor Paths are not always the same?

Maybe I should provide an example:

Windows Infrastructure App:

[WinEventLog://Application]
disabled=0

[perfmon://Available Memory]
counters = Available Bytes
interval = 10
object = Memory

...

IIS App

[monitor://Z:/IIS/Log/]
sourcetype = iis
disabled = 0
ignoreOlderThan = 1d

...

Test Environment App

[WinEventLog://Application]
index = test_infrastructure

[perfmon://Available Memory]
index = test_infrastructure

[monitor://Z:/IIS/Log/]
index = test_iis
...
0 Karma

PPape
Contributor

You can deploy all three apps to your test enviroment. The only thing you have to change is the copy of Test Enviroment App to fit your other enviroments.

If the Path changes in your enviroments there is no other way than take the whole stanza in the Enviroment app. you could do something like this

IIS App

[monitor://Z:/IIS/Log/]
 sourcetype = iis
 ignoreOlderThan = 1d

 ...

Test Environment App

 [WinEventLog://Application]
 index = test_infrastructure

 [perfmon://Available Memory]
 index = test_infrastructure

 [monitor://Z:/IIS/Log/]
 index = test_iis
 disabled=1
 ...

 [monitor://Y:/IIS/Log/]
 index = test_iis
 disabled=0
 sourcetype = iis
 ignoreOlderThan = 1d
 ...
0 Karma

mjeanrichard
Explorer

Thanks for you answer. What if I have a Server in the test environment that has no IIS? Because I deploy the environment app to every server I would still have the monitor stanza for IIS on that server (the forwarder won't find the directory and will probalb report a warning, but thats a rather ugly solution)

0 Karma

PPape
Contributor

in this case you have to be more granular. So in worst case you have to make an enviroment app for every app (or bundle) that you deploy with its own inputs.conf

0 Karma

mjeanrichard
Explorer

Yeah, ok, that is what I suspected. Thanks anyway!

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...