I am trying out the Splunk App for Websphere. I have a UF, an indexer and a Search Head. I have installed the app on SH. Placed the props.conf,transforms.conf and indexes.conf on etc/system/local of Indexer. Now i want to apply the props and transforms only for this app. Please let me know how can i achieve this.
You could safely put all the contents of
$SPLUNK_HOME/etc/apps/splunk_app_was/default/
on both the indexer and search head. the indexes.conf will create an empty index on the search head (and harm nothing) and macros.conf and savedsearches.conf will be ignored on the indexer.
if you look at props.conf, based on the sources, the app creates sourcetypes and has both EXTRACT (search time) and TRANSFORMS (index time) extractions.
So the answer (without knowing what you want to do) is that any additions to the existing props.conf and transforms.conf would be in
$SPLUNK_HOME/etc/apps/splunk_app_was/local/
if you are coding them by hand... again putting your changes on both indexer and search head will harm nothing. Splunk will use what it need depending upon whether your additions are search time or index time behaviors.
TO CLARIFY:
Your forwarder points the data to your indexer. The forwarder is told that it should send data to the index "websphere". It will only send that data to the indexer... since it's only communicating with the indexer so if you did have indexes.conf on the search head, it would remain empty and harm nothing (in fact, there are benefits to that because you can then add or restrict usage of that index when you create roles and users)
The doc could be more clear, but what they're saying is...
unpack the tarball.
copy the app... to both indexer and search head. The files that "don't belong" or "aren't really needed" will be ignored... so you don't have to worry about them. $SPLUNK_HOME/etc/apps/splunk_app_was/default/
on the indexer and search head can be identical.
If you want to add something or change something... the ../default and ../local directories are hierarchical.
So for example if I have this in ../default:
indexes.conf
[websphere]
homePath = $SPLUNK_DB/websphere/db
coldPath = $SPLUNK_DB/websphere/colddb
thawedPath = $SPLUNK_DB/websphere/thaweddb
disabled = false
to disable that I create an indexes.conf file in $SPLUNK_HOME/etc/apps/splunk_app_was/local/
that looks like this:
[websphere]
disabled = true
and now the disbaled=false
under the [websphere]
stanza in default, is set to true
and that stanza is disabled. The alternative in this case... is to just not have the indexes.conf (in default) at all. But then later... you might be wondering "what did I do? and why?"
Same goes for props.conf
usually people don't include the disabled=false
in a props.conf or transforms.conf stanza, as that is the default setting... so it is implied.
but if you add a props.conf
in `local' you can add to what is in default... by simply adding that one directive.
for example, one of the stanzas in props.conf
in default
is this:
[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
so to if I wanted to add something to that stanza, all you need is the name of the stanza
so in$SPLUNK_HOME/etc/apps/splunk_app_was/local/props.conf
I might add the following:
[WebSphere:javacore]
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah
and Splunk will see:
[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah
Now, WHERE your directive would be applied would depend on what it was. in this case, a search time extraction needs to be on the search head.
If you changed something about line breaking... that's index time and would be on the indexer.
Again... it doesn't hurt anything to just update both spots. but that's up to you.
You could safely put all the contents of
$SPLUNK_HOME/etc/apps/splunk_app_was/default/
on both the indexer and search head. the indexes.conf will create an empty index on the search head (and harm nothing) and macros.conf and savedsearches.conf will be ignored on the indexer.
if you look at props.conf, based on the sources, the app creates sourcetypes and has both EXTRACT (search time) and TRANSFORMS (index time) extractions.
So the answer (without knowing what you want to do) is that any additions to the existing props.conf and transforms.conf would be in
$SPLUNK_HOME/etc/apps/splunk_app_was/local/
if you are coding them by hand... again putting your changes on both indexer and search head will harm nothing. Splunk will use what it need depending upon whether your additions are search time or index time behaviors.
TO CLARIFY:
Your forwarder points the data to your indexer. The forwarder is told that it should send data to the index "websphere". It will only send that data to the indexer... since it's only communicating with the indexer so if you did have indexes.conf on the search head, it would remain empty and harm nothing (in fact, there are benefits to that because you can then add or restrict usage of that index when you create roles and users)
The doc could be more clear, but what they're saying is...
unpack the tarball.
copy the app... to both indexer and search head. The files that "don't belong" or "aren't really needed" will be ignored... so you don't have to worry about them. $SPLUNK_HOME/etc/apps/splunk_app_was/default/
on the indexer and search head can be identical.
If you want to add something or change something... the ../default and ../local directories are hierarchical.
So for example if I have this in ../default:
indexes.conf
[websphere]
homePath = $SPLUNK_DB/websphere/db
coldPath = $SPLUNK_DB/websphere/colddb
thawedPath = $SPLUNK_DB/websphere/thaweddb
disabled = false
to disable that I create an indexes.conf file in $SPLUNK_HOME/etc/apps/splunk_app_was/local/
that looks like this:
[websphere]
disabled = true
and now the disbaled=false
under the [websphere]
stanza in default, is set to true
and that stanza is disabled. The alternative in this case... is to just not have the indexes.conf (in default) at all. But then later... you might be wondering "what did I do? and why?"
Same goes for props.conf
usually people don't include the disabled=false
in a props.conf or transforms.conf stanza, as that is the default setting... so it is implied.
but if you add a props.conf
in `local' you can add to what is in default... by simply adding that one directive.
for example, one of the stanzas in props.conf
in default
is this:
[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
so to if I wanted to add something to that stanza, all you need is the name of the stanza
so in$SPLUNK_HOME/etc/apps/splunk_app_was/local/props.conf
I might add the following:
[WebSphere:javacore]
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah
and Splunk will see:
[WebSphere:javacore]
BREAK_ONLY_BEFORE = NULL\s+[-]{30,}
MAX_EVENTS = 13000
EXTRACT-websphere_DumpRoutineSubComponents = (?i)0SECTION\s*(?P<websphere_DumpRoutineSubComponents>[\w ]*)
BREAK_ONLY_BEFORE = \[.+:.{2}:.{2}:.{3}\s
EXTRACT-websphere_my custom extraction= (?i)blahblahblah.*(?P<websphere_DumpRoutineSubComponents>[\w ]*)\sblah\sblah
Now, WHERE your directive would be applied would depend on what it was. in this case, a search time extraction needs to be on the search head.
If you changed something about line breaking... that's index time and would be on the indexer.
Again... it doesn't hurt anything to just update both spots. but that's up to you.
Makes a lot more sense now. Thanks again. But a concern for me here is that i could have a file, that some how matches the source pattern of my props.conf..But i don't want the sourcetype of that source to be changed. I need to change the sourcetype of only selective sources coming from a particular host. I want to apply the source as well as the host filter on my props.conf. Hope I was able to explain myself.
well... you want to check here:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Wheretofindtheconfigurationfiles
and also check to be sure that the "source" regex in the app are specific enough for you.
It's not so much about accidentally grabbing things. it's being aware of the Configuration file precedence and how to tell what Spunk see's last. (last is the win)
for which you want to check here:
So please find the steps that I must do..
1. Install Splunk App for WAS on my Search Head
2. Create $SPLUNK_HOME/etc/apps/splunk_app_was/local/ on my indexer
3. Copy files from $SPLUNK_HOME/etc/apps/splunk_app_was/default/ on my search head to $SPLUNK_HOME/etc/apps/splunk_app_was/local/ on my indexer
4. Cut indexes.conf from $SPLUNK_HOME/etc/apps/splunk_app_was/local/ on Indexer to $SPLUNK_HOME/etc/system/local/ on Indexer
5. Put inputs.conf on UF like
[monitor:///servers/was7/appserver/profiles/dmgr/config/cells/MyCell/security.xml]
crcSalt =
disabled = false
followTail = 0
index = websphere
So this ensures that if for any other source from any other server having the same path, the props.conf specific to Splunk app for WAS will not be applied??