I want to create a splunk deployment app to configure the forwarder to pick data from a server location.
I know that to create a deployment app, I just have to create a folder in $SPLUNK_HOME/etc/deployment-apps (which is empty) and in forwarder management, add the server class to it... But how do I write code into it? What and where should I write to make the forwarder pick up data from the location?
Why do you want to write a Splunk-Specific app to do this?
You can make changes to the end points with deployment technologies such as Puppet, Chef or SCCM for example. This allows you to push out new configurations.
You can also deploy apps with the Splunk Deployment server as well:
Why try to reinvent the wheel?
Okay... I am doing this the first time.. so could you please be more specific?
I have read this deployment server article numerous times now... but... it still does not answer my question of how do I push the config to make the forwarder pick the data from a location ?
The best thing to try is to set up an actual deployment server.
It is all GUI driven through Splunk, so it won't make much sense to read the article over and over.
Basically, you put the files in the App Directory you want. Then you "create" an app in the GUI, then you tie this app into a "Class" or a group of systems you want to have the app on, then you tell the system to deploy the app. Then the deployment server pushes the app out to the points you want.
As an example, I pushed out the "ciscoios" app to some of my machines and the "splunkappforUnix" to others. Before I did this, I copied those applications to the deployment servers app directory. I then defined the apps, and the systems that needed them, and the deployment server pushed them out.
To find the deployment server settings, in Splunk (when you have a deployment server) go to "Settings" then go to "Forwarder Management".
Like should I add the app. conf, prop.conf files or would it add them on its own? Where should I write what it should do?
This makes so much sense to me now... Thank you first of all for that...
But for creating an app to
1. Monitor a path lets say /abc/def in a server where forwarder is located
2. Pick data if the file is of a certain name and certain type
3. Load the data into splunk
Note: the splunk root and the forwarders are on different location
What are all the files that I should write or is there like app.conf, inputs.conf etc ?
Which ones(files) come as default if I create this APP DIRECTORY and tie it into the class?
Or should I manually create all the files that should go into this app directory?
Is there any sample script that you can share?
You are looking for the "inputs.conf" file. That is the file that selects what you will be monitoring:
I highly recommend you try doing this manually first, get a good understanding of doing it by hand, once you understand that, then you can create modified versions and deploy them.
Again thank you so much......... I am working on an urgent requirement and your help is of great value.
Thanks for the document. It definitely helps me understand the contents of inputs.config. I created an app folder in the deployment_apps folder, created a subdir caled local and also created a file called inputs.conf (4 line input file).
I then created a server class(it is mapped to a client ). I am trying to add this add to the server class , it does not let me and displays a server error.
My doubts are :
1. What is the problem here? Is it happening because of the contents of the app folder?
2. Is it because, it is not reading the inputs.conf?
3. WHAT SHOULD I DO?
Thank you so much for your time and help!
You are over thinking things again.
Why are you trying to use an app?
The inputs.conf is a standard file, you do not need to use an application to do what you are trying to do.
I think you are looking at the problem in the wrong way. An application is a specific thing that you deploy,
I suggest you stop looking at the application side of Splunk, and look at the forwarder side of Splunk.
You need to read through this entire document (and each section) to get a handle on what you really want to do: