Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How many apps can I deploy in Universal Forwarder?

splunk_soc360
New Member
‎02-12-2020 07:53 AM

Hi everybody,

I'm trying to deploy 2 apps in an universal forwarder from a deployment server. The problem that I'm encountering is that when the deploy finished and restart the Splunk Universal Forwarder service the apps deployed doesn't work instead if I deploy only 1 app the app work and I recieve the logs.

My configuration is the following:

In my Universal Forwarder I have:
o) App1
o) App2

The input.conf file from App1 has this config:

[WinEventLog://ForwardedEvents]
index=index1
sourcetype=sourcetype1
whitelist= 4100,4104,4103
evt_resolve_ad_obj=1
renderXml=0

And the App2 has the same configuration but changing the events recieved:

[WinEventLog://ForwardedEvents]
index=index2
sourcetype=sourcetype2
blacklist= 4100,4104,4103
evt_resolve_ad_obj=1
renderXml=0

This apps works separately but together not. Exists any kind of limitless to use several apps in an unique universal forwarder.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-12-2020 10:24 AM

Hi @splunk_soc360,
Splunk work only one stanza, so I hint to use only one stanza with one index.
Then, on Indexers (or Heavy Forwarders if present) override the index value in this way:
On your indexer or heavy forwarder:

in transforms.conf 

 [overrideindex]
 DEST_KEY =_MetaData:Index
 REGEX = EventCode\=(4100|4104|4103)
 FORMAT = index2

in props.conf 

 [sourcetype1]
 TRANSFORMS-index = overrideindex

Ciao.
Giuseppe

0 Karma
Reply

splunk_soc360
New Member
‎02-27-2020 12:29 AM

Hi Giuseppe,

Thanks to reply, I've tried to apply the solution that you propose but I think that it doesn't work to me because I'm using a Universal Forwarder instead Heavy. It could use in indexers but I don't know how because I have a cluster environnement and it's the first time that I'm working with the props and transform files.
One thing Giuseppe, to my initial question about "how many apps can I deploy in an universal forwarder?" Do you know if exist a limitless to deploy more than one input_app? Because my main issue is that in my universal forwarder I've 2 differents apps monitoring the same path but If I deploy together they don't work but if I deployed individually they work.

Thanks for your help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2020 12:49 AM

Hi @splunk_soc360,
there isn't any limit to the number of inputs.conf deployed on Universal Forwarder.
But you have to put attention to not duplicate inputs because Splunk ingest a log only one time, so if you have two stanzas to take the same log, you take it only one time.
To understand if there an overlap, you can see your inputs.conf files or (if they are too many) use the command (on UF)

./splunk cmd btools inputs list --debug > my_inputs.txt

and see in the inputs.txt file which is the configuration used

About the transformation, if you haven't an Heavy Forwarder, you have to put it in the Indexers, and, if you have a Cluster, in the Maste Node and push the configuration to the Peers; for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Indexer/Manageappdeployment

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...