Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to run a scripted input on only one of several heavy forwarders?

danielbb
Motivator
4 weeks ago

We have a Splunk app that includes multiple scripted inputs.
The app is deployed to 15 heavy forwarders, but we want one of the scripts to run on only one of them.
I first tried adding host = <hostname> inside the scripted‑input stanza, but I now realize that this isn't the solution.
Is there a way to restrict a scripted input so it executes on only a single server, without having to split the app?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @danielbb ,

as also the other said: you should have two different ServerClasses (if you have a Deployment Server) or two distribution lists if you use anotehr tool.

I don't like the solution to hardcode a rule in your script, because you have to remember this configuration for all the next time and to manage it!

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
4 weeks ago

Hi @danielbb ,

as also the other said: you should have two different ServerClasses (if you have a Deployment Server) or two distribution lists if you use anotehr tool.

I don't like the solution to hardcode a rule in your script, because you have to remember this configuration for all the next time and to manage it!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

danielbb
Motivator
4 weeks ago

Thank you @gcusello, this makes perfect sense, I'll go ahead and create a distinct app that would be deployed only on one of the HFs, much appreciated.

0 Karma
Reply
Solved! Jump to solution

livehybrid
Super Champion
4 weeks ago

Hi @danielbb 

I think you need to look at how this is deployed to each of the 15 HFs, ultimately you would have to make *something* different on one of them in order for it to know which one to run the input. 

How are you deploying the app to the 15 HFs? Deployment Server? Ansible? 

Each HF operates independently and not as part of a cluster, they arent aware of eachother and there is no leader or anything like that which could be used to determine a particular role. 

If you are deploying via Ansible then you could use a templated inputs.conf to toggle the disabled flag on the input, but it really depends on your architecture and deployment approach.

Please let us know so we can help further.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

Nope. If you're pushing an app with enabled input to 15 forwarders you're getting an enabled input on each of them. The typical way to handle it is to define the input as disabled within the main app and push it to all forwarders and create a small app which overwrites input's state to enabled and push this app to just one forwarder.

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top