I have a deploymentServer and a couple dozen DeploymentClients. All deploymentClients are universal forwarders.
There are several server classes defined within the deploymentServer. Examples are: linux_servers, production_servers, test_servers, application_A_servers, application_B_servers, etc.
Using the Tech AddOn for Unix, I want to collect server level details, but not all the same details for all Forwarders. I want to collect more data from prod servers than test servers for example. I may need memory data for application A but not application B. We're running up against our indexing limit so I want to be precise about what I collect and what I don't.
I have TA for UNIX working on every host, but it's configured separately on each host which is a pain, so I thought of using the deployment server for this.
I removed the TA for UNIX on a test host, created a new server class on the deployment server ("Splunk_TA_nix") and have successfully gotten the results I configured from the test host. So I know this is a possibility. However, this doesn't allow me to vary the data I collect based on other server classes.
Splunk_TA_nix has a bin directory with many scripts referenced in its inputs.conf file. The format is as such:
[script://./bin/hardware.sh]
SHOULD I . . .
Delete the new server class Splunk_TA_nix. Make all changes to existing inputs.conf files for already-defined server classes. [[ I would either make copies of the Splunk_TA_nix/bin directory in all the server class directories (making the script references accurate) or change the script references to point to a single bin source.]]
???
This seems a little messy to me but I haven't come up with any other ideas.
Thoughts?
Since your requirements are to have different configs on a per-server basis, then I would advise that you ship the Splunk_TA_nix with the inputs disabled and then use your separate/existing server classes to enable the inputs selectively.