Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Apps on Indexers

IAskALotOfQs
Path Finder
‎12-28-2023 04:30 AM

I was thinking about this just now...

 

How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's configurations will always take precedence over another due to lexicographical naming. 

 

(I am aware system/local will override all config changes)

 

 

E.G. There is an indexer with 3 apps. Alpha, Bravo and Charlie. Each of their directories will be as follows:

 

- SPLUNK_HOME/etc/apps/Alpha/local (highest precedence)

- SPLUNK_HOME/etc/apps/Bravo/local

- SPLUNK_HOME/etc/apps/Charlie/local (lowest precedence)

If I want my indexer to have Charlie functionality, that wouldn't work if I have the 2 above in the example running. 

 

What is a fix for this?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-28-2023 07:30 AM

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-28-2023 07:30 AM

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

IAskALotOfQs
Path Finder
‎12-28-2023 07:51 AM

I think I was just a bit confused when I asked this question haha.

 

Conflicts only occur for the same stanzas with the same attributes but different values. That's when the precedence comes in. But for other stanzas defined in apps, it will all be joined together into one final conf file that is used for that instance which makes sense.

 

Thanks for your reply 🙂

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-29-2023 12:36 AM

Hi

I prefer to use some naming schema for all KOs in splunk. In that way you could point any KO to affect only logs which you want. You never should use generic names like access_log, service etc. Always use like my:app1:access_log etc.

There are some docs and other examples how you could define your own naming schema. And you could change / extend this later when it's needed.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...