Deployment Architecture

how to assign data to an index?

vnguyen46
Contributor

I have data from different sources already forwarded to a forwarders. Indexes already created on a deployment-master combined server, next how can I assign the data per source to a desired index?

Thanks,

0 Karma
1 Solution

woodcock
Esteemed Legend

If you created an app in the deployment-apps directory on your Deployment Server and it has an inputs.conf that defines index values, you still have to deploy this app to your indexers by creating a serverclass inside of $SPLUNK_HOME/etc/system/local/serverclass.conf and add a whitelist setting to this serverclass that contains the identities of your indexers. Then add the app that you created to the serverclass. Then restart the Deployment Server and let the magic happen.

View solution in original post

0 Karma

vnguyen46
Contributor

Excellent information - thank you everyone.

0 Karma

woodcock
Esteemed Legend

If you created an app in the deployment-apps directory on your Deployment Server and it has an inputs.conf that defines index values, you still have to deploy this app to your indexers by creating a serverclass inside of $SPLUNK_HOME/etc/system/local/serverclass.conf and add a whitelist setting to this serverclass that contains the identities of your indexers. Then add the app that you created to the serverclass. Then restart the Deployment Server and let the magic happen.

0 Karma

Anantha123
Communicator
0 Karma

vnguyen46
Contributor

Do I need to update these .conf files on the deployment server or other instances?

Thanks,

0 Karma

iamsplunker31
Path Finder

Hi @vnguyen46 , You need to update the indexes.conf in ClusterMaster and push it to indexers and inputs.conf on Deployment server push it to forwarders
Update serverclass.conf in DS(Deployment Server)
props.conf is not mandatory

0 Karma

Anantha123
Communicator

You have to update in index.conf ,input.conf ,props.conf, serverclass.conf files to assign data to desired index.

Thanks
Anantha.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...