Hi Anthony, thanks for answer my question but I do think there's a misunderstood here... Splunk Deployment Monitor is an builtin app on splunk 4.2 that you cona enable or not in case you want monitoring your splunk envirioment. Our issue here is related with the fact that we have 4 indexers 2 search heads and 2 heavy forwarders and we'd like to look to only one "Splunk Deployment Monitor" and get all information related with all others server.. Your example of serverclass.conf we've already done here to setup some of our apps but I do think it wouldn't work with Splunk Deployment Monitor"; Is there another way to figure out that issue? Thanks,

Amaral

In your serverclass.conf file, whitelist / blacklist a pattern for your servers. In the example I have the prefix on the server.

$Splunk_Home\etc\system\local\serverclass.conf:

[global]

#Set Classes
[serverClass:Location01]
whitelist.0=Loc01*

[serverClass:Location02]
whitelist.0=Loc02*

[serverClass:Location03]
whitelist.0=Loc03*

#App
[serverClass:Location01:app:Forward2Location01]
stateOnClient=enabled
restartSplunkd=true

[serverClass:Location02:app:Forward2Location02]
stateOnClient=enabled
restartSplunkd=true

[serverClass:Location03:app:Forward2Location03]
stateOnClient=enabled
restartSplunkd=true

Create an app for each location. This will point to the indexer you want the data sent to.

$Splunk_Home\etc\deployment-apps\Forward2Location01\outputs.conf

[tcpout]
defaultGroup=Location01

[tcpout:Location01]
server=SplunkIndex01:9997

With this you can have one deployment server and when the clients get download the app, it will tell the server which server to send the data to.