Getting Data In

Do I need to make outputs.conf for all apps?

ecaepp
Explorer

Hey just a quick question to find out if I need to make outputs.conf file for apps.

I am creating a bunch of apps right now to service my clusters need for multi-tenant environment. So I am just wondering if I need an outputs.conf file for each app that's going to be used at a location, or if I can just set a base app with an outputs.conf file that the apps can use to forward traffic with?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

View solution in original post

ddrillic
Ultra Champion

A very interesting thread at -

Changing UF outputs.conf using deployment server

It says -

usual method is to :

• create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf

• define a serverclass.conf on the deployment server (to match clients to apps)

• configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

jkat54
SplunkTrust
SplunkTrust

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

ecaepp
Explorer

Thank you!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...