Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do I need to make outputs.conf for all apps?

ecaepp
Explorer
‎07-19-2016 09:22 AM

Hey just a quick question to find out if I need to make outputs.conf file for apps.

I am creating a bunch of apps right now to service my clusters need for multi-tenant environment. So I am just wondering if I need an outputs.conf file for each app that's going to be used at a location, or if I can just set a base app with an outputs.conf file that the apps can use to forward traffic with?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2016 09:39 AM

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-19-2016 11:34 AM

A very interesting thread at -

Changing UF outputs.conf using deployment server

It says -

usual method is to :

• create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf

• define a serverclass.conf on the deployment server (to match clients to apps)

• configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2016 09:39 AM

Outputs.conf only need be specified once IF you are forwarding data from a Splunk instance to indexers or other forwarders.

You very well could use it in a multi tenant environment if you wanted each app to forward to specific indexers or to indexers on different ports, etc. So it's up to you. If you use different indexers ports or ssl certs for each Tenant / group of inputs (for any reason), then you'll find multiple outputs.confs useful.

An example might be that the security team wants all windows security logs forwarded to their Splunk Enterprise Security enabled indexers. You could thereby create an app with inputs for security logs and outputs that send the data to that teams indexers only.

Reply
Solved! Jump to solution

ecaepp
Explorer
‎07-19-2016 09:51 AM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...