Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Apps on Indexers

IAskALotOfQs
Path Finder
‎12-28-2023 04:30 AM

I was thinking about this just now...

 

How is it possible to have more than 1 app/add-on functioning on an Indexer? Because now that I understand global-level context and precedence, one app's configurations will always take precedence over another due to lexicographical naming. 

 

(I am aware system/local will override all config changes)

 

 

E.G. There is an indexer with 3 apps. Alpha, Bravo and Charlie. Each of their directories will be as follows:

 

- SPLUNK_HOME/etc/apps/Alpha/local (highest precedence)

- SPLUNK_HOME/etc/apps/Bravo/local

- SPLUNK_HOME/etc/apps/Charlie/local (lowest precedence)

If I want my indexer to have Charlie functionality, that wouldn't work if I have the 2 above in the example running. 

 

What is a fix for this?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-28-2023 07:30 AM

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-28-2023 07:30 AM

Hi @IAskALotOfQs,

at first you should analyze your conf files and identify and solve eventual conflicts so the precedence isn't so relevant.

Then, unless you in your documentation is required to install some app or add-on on the Indexers, you could create a custom add-on (called e.g. "TA_for_Indexers") contaning the conf files you need, usually indexes.conf, but only one with all the required configurations.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

IAskALotOfQs
Path Finder
‎12-28-2023 07:51 AM

I think I was just a bit confused when I asked this question haha.

 

Conflicts only occur for the same stanzas with the same attributes but different values. That's when the precedence comes in. But for other stanzas defined in apps, it will all be joined together into one final conf file that is used for that instance which makes sense.

 

Thanks for your reply 🙂

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-29-2023 12:36 AM

Hi

I prefer to use some naming schema for all KOs in splunk. In that way you could point any KO to affect only logs which you want. You never should use generic names like access_log, service etc. Always use like my:app1:access_log etc.

There are some docs and other examples how you could define your own naming schema. And you could change / extend this later when it's needed.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...