How can I forward all "Splunk Deployment Monitor App" to another Splunk

Question

I wondering if you could help me with an issue… Here in mine company we installed different servers to each different splunk rules.

So now I’d like to look to only one “Splunk Deployment Monitor App” and see on it all about of the healthy of my splunk environment.

There's a way to forward this kind of information to indexers and enable the “Splunk Deployment Monitor App” on the search heads… ?

What I did was: Enable “Splunk Deployment Monitor App” in each server… Which seems to be wrong because I don’t have this information centralized…! And I need to acces each server to see that information...

Could someone please give me a tip for this ?!

Thanks so much,

Marcelo Amaral

Answer 1

In your serverclass.conf file, whitelist / blacklist a pattern for your servers. In the example I have the prefix on the server.

$Splunk_Home\etc\system\local\serverclass.conf:

[global]

#Set Classes
[serverClass:Location01]
whitelist.0=Loc01*

[serverClass:Location02]
whitelist.0=Loc02*

[serverClass:Location03]
whitelist.0=Loc03*

#App
[serverClass:Location01:app:Forward2Location01]
stateOnClient=enabled
restartSplunkd=true

[serverClass:Location02:app:Forward2Location02]
stateOnClient=enabled
restartSplunkd=true

[serverClass:Location03:app:Forward2Location03]
stateOnClient=enabled
restartSplunkd=true

Create an app for each location. This will point to the indexer you want the data sent to.

$Splunk_Home\etc\deployment-apps\Forward2Location01\outputs.conf

[tcpout]
defaultGroup=Location01

[tcpout:Location01]
server=SplunkIndex01:9997

With this you can have one deployment server and when the clients get download the app, it will tell the server which server to send the data to.

Answer 2

Hi Anthony, thanks for answer my question but I do think there's a misunderstood here... Splunk Deployment Monitor is an builtin app on splunk 4.2 that you cona enable or not in case you want monitoring your splunk envirioment. Our issue here is related with the fact that we have 4 indexers 2 search heads and 2 heavy forwarders and we'd like to look to only one "Splunk Deployment Monitor" and get all information related with all others server.. Your example of serverclass.conf we've already done here to setup some of our apps but I do think it wouldn't work with Splunk Deployment Monitor"; Is there another way to figure out that issue? Thanks,

Amaral

Answer 3

If you enable the app on the search head (SH) and the SH already lists all the indexers as search peers, then you should be able to get the aggregate view from the SH itself.

However, in case your SH does not store the summary indexes locally but rather forwards everything to the indexers themselves, then you'll have to manually create the Deployment Monitor's specific indexes on the indexers, too.

EDIT: in case you have multiple search heads, you'd better follow these docs.

How can I forward all "Splunk Deployment Monitor App" to another Splunk

Follow this question

Splunk Resources

Related questions