Configure an app to target a specific splunk serve...

tmontney · ‎10-12-2020

I have two servers (all-in-one), one's production the other development. Sometimes, I'd like to have a forwarder send data to both. The app from production sends the usual data to just the production server. Is there a way to limit the app's scope when an app is deployed from development? Right now, it's sending data from the development app to the production server.

gcusello · ‎10-12-2020

Hi @tmontney,

I'm not sure to have understood your need.

Anyway, if you have the DS you can have on the Forwarders only the apps from the DS, this means that there isn't any difference in scope related to the DS, it depends only on the deployed Apps (or better TAs if you're speaking of Forwarders).

So If you want to limit the scope of a data flow , you have two ways:

if the scope limitation is the number of inputs, in the TA you can configure your inputs to send data to both the servers or only to the production one;
if instead you want to send to development server only a part of logs, you can do this only on the production server, but it isn't easy, e.g. you could schedule an alert with a search that sends the results to the development server e.g. by syslog.

Anyway dubbing logs you have a double license consuption!

Ciao.

Giuseppe

Configure an app to target a specific splunk server

universal forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!