Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

different deployment dir for same app

dinisco
Explorer
‎06-09-2011 10:52 AM

I have several hosts I want to deploy the same app to. I would like to use a different local/inputs.conf for different clients. My reasoning is that I want to turn some scripts on for some clients and not for others, or change intervals, etc.

I'm currently using the standard "unix" app. I suppose I could create a new app, but it would be a lot easier to be able to specify different options for the same app. Is there any way to do this?

Here's a copy of my serverclass.conf:


[global]
blacklist.0=*
continueMatching = true

[serverClass:my_clients]
whitelist.0=host1.example.com
whitelist.1=host2.example.com
whitelist.1=host3.example.com

[serverClass:my_clients:app:unix]
stateOnClient=enabled
restartSplunkd=true

Tags (1)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-09-2011 03:57 PM

I believe you could create a new class for each grouping of clients, and then create a new add-on under deployment-apps for each. The add-ons would simply include the inputs.conf for that group:

- deployment_apps
   - unix
   - unix_input_group1
      - default
          - inputs.conf
   - unix_input_group2
      - default
          - inputs.conf

You would leave all inputs disabled in the main unix app, and instead have them setup in the add-ons for the class. A couple of caveats though; the standard unix app inputs.conf has script stanzas like this:

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

I imagine you'd have to modify the stanza to the full path (i.e. [script://$SPLUNK_HOME/etc/apps/unix/bin/iostat.sh]) because the referenced scripts aren't in your new app's bin directory. Also, I don't imagine that stanzas in your custom add-ons would properly override those in the unix app. In other words, if you have a unix/default/inputs.conf with this stanza:

[monitor:///var/log]
_whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out)
_blacklist=(lastlog)
index=os
disabled = 1

best practice to enable it would be to create a unix/local/inputs.conf like this:

[monitor:///var/log]
disabled = 0

However, I don't believe you could enable an input in that way if you're working off of a unix/default/inputs.conf in another app's directory (though I'm not positive of that, so you may want to give it a try). So, you probably need to just copy the entire unix/default/inputs.conf to your new apps, modify script paths and intervals.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...