Getting Data In

Do I need to make outputs.conf for all apps?

Explorer

Hey just a quick question to find out if I need to make outputs.conf file for apps.

I am creating a bunch of apps right now to service my clusters need for multi-tenant environment. So I am just wondering if I need an outputs.conf file for each app that's going to be used at a location, or if I can just set a base app with an outputs.conf file that the apps can use to forward traffic with?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

View solution in original post

Ultra Champion

A very interesting thread at -

Changing UF outputs.conf using deployment server

It says -

usual method is to :

• create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf

• define a serverclass.conf on the deployment server (to match clients to apps)

• configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

0 Karma

SplunkTrust
SplunkTrust

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

View solution in original post

Explorer

Thank you!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!