Getting Data In

Apps on Indexers

IAskALotOfQs
Path Finder

I was thinking about this just now...

 

How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's configurations will always take precedence over another due to lexicographical naming. 

 

(I am aware system/local will override all config changes)

 

 

E.G. There is an indexer with 3 apps. Alpha, Bravo and Charlie. Each of their directories will be as follows:

 

- SPLUNK_HOME/etc/apps/Alpha/local (highest precedence)

- SPLUNK_HOME/etc/apps/Bravo/local

- SPLUNK_HOME/etc/apps/Charlie/local (lowest precedence)

If I want my indexer to have Charlie functionality, that wouldn't work if I have the 2 above in the example running. 

 

What is a fix for this?

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

IAskALotOfQs
Path Finder

I think I was just a bit confused when I asked this question haha.

 

Conflicts only occur for the same stanzas with the same attributes but different values. That's when the precedence comes in. But for other stanzas defined in apps, it will all be joined together into one final conf file that is used for that instance which makes sense.

 

Thanks for your reply 🙂

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I prefer to use some naming schema for all KOs in splunk. In that way you could point any KO to affect only logs which you want. You never should use generic names like access_log, service etc. Always use like my:app1:access_log etc.

There are some docs and other examples how you could define your own naming schema. And you could change / extend this later when it's needed.

r. Ismo

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...