Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

installing splunk UF using Ansible

omershira
Explorer
‎01-04-2021 06:29 AM

Hello,

I wrote an ansible playbook that installs and configures splunk UF.

I have created two playbooks, one for linux machines and one for windows.

When I run the windows playbook it uses this comman to install the msi file:

msiexec.exe /i splunkuniversalforwarder.msi [<flag>=<value>]...[<flagN>=<value>]

I was able to set an indexer and a deployment server and to choose which of the windows eventlog inputs to recive data from and so...

 the only problem I have is that all the data is sent by default to the "main" index. I cant seem to find a flag that will  send the data at first to a different index.

I know I can change it in the inputs.conf file but the idea is to do all the configuration from the playbook without needing to change things later.

I want to send all the data from the eventlog to one index, can i set it in the installation command? if not, where can i set it so it won't send any data to the "main" index?

Thanks!!

omer shira

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-04-2021 08:51 AM

There is no installer flag that controls which index is used.

Since you have a deployment server (DS) you should use that to configure the UFs.  All Ansible needs to do is install the UF and point it at the DS.

Set up the DS to push at least 2 apps to each UF: one for outputs and one for inputs.  The output app  (my_UF_outputs) has an outputs.conf file in it to direct the UF to your indexers.  The inputs app (my_UF_inputs) has an inputs.conf file which says which eventlog inputs to use and the index in which to store them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

omershira
Explorer
‎01-04-2021 11:08 PM

Hi,

I will try it!

but I have a question:

In the playbook I am asking the user to choose which input from the eventlog they want to recive data from and what performance input.

For the eventlog inputs I put each one in a boolean variable and with it I creates later the flag of: "WINEVENTLOG_APP_ENABLE=1/0" for example.

For the preformance inputs I create a list of which inputs the user want.

So as you can understand I don't know before the playbook is being run what the UF will monitor. 

Is there a way to set in the inputs.conf (from the Deployment as you said) an index for all the data? I mean to set an index  for all the data that will be sent from that specific UF?

Thanks!!!

omer shira

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2021 07:29 AM

The inputs.conf file sent by the DS can specify the index for each input, even if they are not used.

The installer can enable the user's preferred inputs and the data will go to the index specified by the DS.

There is a caveat, however.  There will be a short delay from when the UF starts until it reads the configurations supplied by the DS.  During that time, eventlogs will be sent to index=main.

As an aside, IMO, users should not be allowed to choose what will be monitored.  That choice should be made according to company/IT policy regarding what data is needed for security or performance monitoring purposes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...