Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

different deployment dir for same app

dinisco
Explorer
‎06-09-2011 10:52 AM

I have several hosts I want to deploy the same app to. I would like to use a different local/inputs.conf for different clients. My reasoning is that I want to turn some scripts on for some clients and not for others, or change intervals, etc.

I'm currently using the standard "unix" app. I suppose I could create a new app, but it would be a lot easier to be able to specify different options for the same app. Is there any way to do this?

Here's a copy of my serverclass.conf:


[global]
blacklist.0=*
continueMatching = true

[serverClass:my_clients]
whitelist.0=host1.example.com
whitelist.1=host2.example.com
whitelist.1=host3.example.com

[serverClass:my_clients:app:unix]
stateOnClient=enabled
restartSplunkd=true

Tags (1)
0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-09-2011 03:57 PM

I believe you could create a new class for each grouping of clients, and then create a new add-on under deployment-apps for each. The add-ons would simply include the inputs.conf for that group:

- deployment_apps
   - unix
   - unix_input_group1
      - default
          - inputs.conf
   - unix_input_group2
      - default
          - inputs.conf

You would leave all inputs disabled in the main unix app, and instead have them setup in the add-ons for the class. A couple of caveats though; the standard unix app inputs.conf has script stanzas like this:

[script://./bin/iostat.sh]
interval = 60
sourcetype = iostat
source = iostat
index = os
disabled = 1

I imagine you'd have to modify the stanza to the full path (i.e. [script://$SPLUNK_HOME/etc/apps/unix/bin/iostat.sh]) because the referenced scripts aren't in your new app's bin directory. Also, I don't imagine that stanzas in your custom add-ons would properly override those in the unix app. In other words, if you have a unix/default/inputs.conf with this stanza:

[monitor:///var/log]
_whitelist=(\.log|log$|messages$|mesg$|cron$|acpid$|\.out)
_blacklist=(lastlog)
index=os
disabled = 1

best practice to enable it would be to create a unix/local/inputs.conf like this:

[monitor:///var/log]
disabled = 0

However, I don't believe you could enable an input in that way if you're working off of a unix/default/inputs.conf in another app's directory (though I'm not positive of that, so you may want to give it a try). So, you probably need to just copy the entire unix/default/inputs.conf to your new apps, modify script paths and intervals.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and stall ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...