- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Where to install Splunk for JMX App in a distr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a distributed Splunk environment: universal forwarders sending to indexers and dedicated search heads. Where would you install the Splunk for JMX app? Does it need to be split among the various components?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to split out the components of the app:
1) the data collection logic goes on the Splunk UF.
SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local
2) the index definition goes on the Splunk Indexer
SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*
Note :
You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app
props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the folder bin/boot ist not deployed via Deplayment Server. What ist the problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the folder is empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to split out the components of the app:
1) the data collection logic goes on the Splunk UF.
SPLUNK4JMX/bin/*
SPLUNK4JMX/default/inputs.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/logs
SPLUNK4JMX/local
2) the index definition goes on the Splunk Indexer
SPLUNK4JMX/default/indexes.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
3) the UI logic and Knowledge objects go on your Search Heads (or shared storage if you are using Search Head Pooling)
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/transforms.conf
SPLUNK4JMX/default/app.conf
SPLUNK4JMX/default/props.conf
SPLUNK4JMX/default/data/*
SPLUNK4JMX/local
SPLUNK4JMX/appserver/*
Note :
You'll need to manually enable the appropriate input for the the platform you are running on in inputs.conf on the Forwarder , this is usually done using setup.xml in a SplunkWeb based install of the app
props.conf and transforms.conf contain both index time and search time transforms/extractions , hence why they are put on the Indexer and Search Head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you are correct, thx 🙂 Forgot I was dealing with a UF in the original question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien, if props.conf contains attributes that are used at index time it needs to go either at the indexer OR remain at the forwarder if it is a heavy forwarder.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
