Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Apps on Indexers

IAskALotOfQs
Path Finder
‎12-28-2023 04:30 AM

I was thinking about this just now...

 

How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's configurations will always take precedence over another due to lexicographical naming. 

 

(I am aware system/local will override all config changes)

 

 

E.G. There is an indexer with 3 apps. Alpha, Bravo and Charlie. Each of their directories will be as follows:

 

- SPLUNK_HOME/etc/apps/Alpha/local (highest precedence)

- SPLUNK_HOME/etc/apps/Bravo/local

- SPLUNK_HOME/etc/apps/Charlie/local (lowest precedence)

If I want my indexer to have Charlie functionality, that wouldn't work if I have the 2 above in the example running. 

 

What is a fix for this?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-28-2023 07:30 AM

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-28-2023 07:30 AM

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

IAskALotOfQs
Path Finder
‎12-28-2023 07:51 AM

I think I was just a bit confused when I asked this question haha.

 

Conflicts only occur for the same stanzas with the same attributes but different values. That's when the precedence comes in. But for other stanzas defined in apps, it will all be joined together into one final conf file that is used for that instance which makes sense.

 

Thanks for your reply 🙂

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-29-2023 12:36 AM

Hi

I prefer to use some naming schema for all KOs in splunk. In that way you could point any KO to affect only logs which you want. You never should use generic names like access_log, service etc. Always use like my:app1:access_log etc.

There are some docs and other examples how you could define your own naming schema. And you could change / extend this later when it's needed.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...