Since many companies are moving towards cloud based servers how can we handle splunk UF deployment on cloud servers which come and go all the time? We were able to deploy the UF and send a linux app to them which works fine. But how are people deploying application related configs?
Since its not a standalone box, they have to automatically get the apps defined in serverclass. How are Splunk Admins handling this? Lets say a new box is spun up and it has 4-5 applications installed on it by the Unix team. How do you tell your UF to update itself with the configs for those applications?
We are trying out a method of tagging each application and using clientName to do this ( which has to be updated when ever a new application is installed). Any other ways people are doing it. Please share your views and ideas.
clientName or using a well defined hostname pattern you can match on is the best way to automatically assign apps. So best to ensure your systems set a good fqdn hostname prior to first time Splunk runs. Otherwise the current hostname at the time gets cached in $SPLUNK_HOME/etc/system/local/inputs.conf in the default stanza. You would need to update that and restart the UF.
+1 to the clientName option.
We also use clientName filtering. Aslong as the deployment client gets the deployment server ip and a matching client name then they will get all the appropriate apps. You can add as many clients as you want without having to make any deployment server changes. This is by far the fastest & simplest method for deployment.
"We are trying out a method of tagging
each application and using clientName
to do this ( which has to be updated
when ever a new application is
You shouldn't need to add clientNames for already existing classes for new apps. Just add an extra line into the same class pointing at the new app name(you don't need an extra class per app!).
Define your classes using wild cards and you can mix and match your apps based off a combination clientname.
You could have separate classes with separate apps or combine them into groups.
[serverClass=linux] blacklist.0= * whitelist.0=linux_* [serverClass:linux:app:Splunkfornix] [serverClass:linux:app:someothernix_app] [serverClass=web_server] blacklist.0= * whitelist.0=*_web_server [serverClass:web_server:app:Splunkforapache] [serverClass:web_server:app:someotherweb_app] [serverClass=database] blacklist.0= * whitelist.0=*_database] [serverClass:database:app:SplunkforOracle] [serverClass:database:app:someotherdb_app] server #1 clientName "linux_web_server" Apps. Splunkfornix someothernix_apps Splunkforapache someotherweb_app server#2 clientName "linux_database" Apps Splunkfornix someothernix_apps SplunkforOracle someotherdb_app
You can do as many of these as you like so you can use the clientName as the key to what groups of apps you get.