Databases Reference
In-Depth Information
•
indexerbase
Assuming your indexers are configured similarly, it is handy to put all
indexer configuration into an app and deploy it like any other app.
All of these configurations are completely separate from search
concerns, which should be stored in separate apps built and
maintained through the Splunk web interface.
Let's imagine we have a distributed deployment across two data centers,
east
and
west
. Each data center has web servers, app servers, and database servers.
In each data center we have two Splunk indexers. The apps for this setup could
be as follows:
•
inputs-web
,
inputs-app
, and
inputs-db
°
inputs.conf
specifies the appropriate logs to monitor.
° Each app should be distributed to each machine that is serving
that purpose. If there are some machines that serve more than one
purpose, they should receive all appropriate apps.
•
props-web
,
props-app
, and
props-db
°
props.conf
specifies how to parse the logs.
°
transforms.conf
is included if there are relevant transforms.
° Different portions of
props.conf
are needed at different stages of
processing. Since it is difficult to know what stage is happening
where, it is generally easiest to distribute these source type props
apps everywhere.
•
props-west
, and
props-east
° Sometimes it is necessary to make configuration changes by location,
for instance, configuring time zone on machines that are not set up
properly. This can be accomplished by using the
TZ
setting in
props.conf
and sending this app to the appropriate data centers.
•
outputs-west
, and
outputs-east
° These would contain nothing but the
outputs.conf
configuration for
the appropriate data center.
Search WWH ::
Custom Search