Configure an app to target a specific splunk serve...

tmontney · ‎10-12-2020

I have two servers (all-in-one), one's production the other development. Sometimes, I'd like to have a forwarder send data to both. The app from production sends the usual data to just the production server. Is there a way to limit the app's scope when an app is deployed from development? Right now, it's sending data from the development app to the production server.

gcusello · ‎10-12-2020

Hi @tmontney,

I'm not sure to have understood your need.

Anyway, if you have the DS you can have on the Forwarders only the apps from the DS, this means that there isn't any difference in scope related to the DS, it depends only on the deployed Apps (or better TAs if you're speaking of Forwarders).

So If you want to limit the scope of a data flow , you have two ways:

if the scope limitation is the number of inputs, in the TA you can configure your inputs to send data to both the servers or only to the production one;
if instead you want to send to development server only a part of logs, you can do this only on the production server, but it isn't easy, e.g. you could schedule an alert with a search that sends the results to the development server e.g. by syslog.

Anyway dubbing logs you have a double license consuption!

Ciao.

Giuseppe

Configure an app to target a specific splunk server

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation