Deployment Architecture

Using DeploymentServer to deploy Splunk Tech Add-On for *NIX

krussell101
Path Finder

I have a deploymentServer and a couple dozen DeploymentClients. All deploymentClients are universal forwarders.

There are several server classes defined within the deploymentServer. Examples are: linux_servers, production_servers, test_servers, application_A_servers, application_B_servers, etc.

Using the Tech AddOn for Unix, I want to collect server level details, but not all the same details for all Forwarders. I want to collect more data from prod servers than test servers for example. I may need memory data for application A but not application B. We're running up against our indexing limit so I want to be precise about what I collect and what I don't.

I have TA for UNIX working on every host, but it's configured separately on each host which is a pain, so I thought of using the deployment server for this.

I removed the TA for UNIX on a test host, created a new server class on the deployment server ("Splunk_TA_nix") and have successfully gotten the results I configured from the test host. So I know this is a possibility. However, this doesn't allow me to vary the data I collect based on other server classes.

Splunk_TA_nix has a bin directory with many scripts referenced in its inputs.conf file. The format is as such:
[script://./bin/hardware.sh]

SHOULD I . . .

Delete the new server class Splunk_TA_nix. Make all changes to existing inputs.conf files for already-defined server classes. [[ I would either make copies of the Splunk_TA_nix/bin directory in all the server class directories (making the script references accurate) or change the script references to point to a single bin source.]]

???

This seems a little messy to me but I haven't come up with any other ideas.

Thoughts?

araitz
Splunk Employee
Splunk Employee

Since your requirements are to have different configs on a per-server basis, then I would advise that you ship the Splunk_TA_nix with the inputs disabled and then use your separate/existing server classes to enable the inputs selectively.

Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...