Deployment Architecture

How to handle Custom App deployed to index peers with inputs.conf meant for UF's

Path Finder

I've created a custom app to get a custom sourcetype. The primary files I created were inputs.conf for the UF (location to monitor, etc.) and props.conf for the index peers to define the parsing of the sourcetype. I'm using the deployment server to push my app to all UF's that should be ingesting data and I had hoped to push the same app via my master node to the index cluster peers.

However, I realized as I did this that I'd be adding my inputs.conf to my index peers. The monitored directory doesn't exist on the indexes, but it is creating another monitoring process isn't it?

I disabled the inputs.conf stanza on my master node's copy of the app folder to resolve this, but long term I'd like to use my deployment server with my master node as a client and deploy the SAME app from my deployment server to both my UF's and my Master Node and then to my Index Peers as described in "Update common peer configurations and apps => use deployment server to distribute the apps to the master":

At that point I have a single copy of my app folder, which needs to have an enabled inputs.conf for the UF's but doesn't need to be pushed to the index peers inputs.conf? Or is it not a problem that the stanza is defined on the indexes? Am I misunderstanding something?

0 Karma


If the directory does not exist on the indexers, the indexers will still periodically test to see if it has been created. So there is some overhead there, but it is probably quite small. And you should be able to monitor it either using the Distributed Management Console or with custom searches against the _internal index.

I would probably deploy the same app to both indexers and forwarders. Then I would monitor the effect on the indexers; if it is significant, then I would change my plan and have 2 versions of the app, one for the forwarders and one for the indexers. There really should not be much, if any, overlap between the two versions.

Path Finder

I agree, there's not typically technical overlap between the two "types" of apps - but there is from a functional perspective. Is it uncommon to have both the inputs and the props for a given set of events custom defined in many apps?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...