Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

Download topic as PDF

Create the "send to indexer" app

This topic discusses how to create the "Send to indexer" app. This app tells the universal forwarders in your Splunk App for Windows Infrastructure deployment to send data to the indexer.

Why create an app?

The short answer is, to make your deployment easier.

At first it might seem like this procedure is overly complicated. Performing this step makes it easier to control where universal forwarders send data. It also helps you understand another basic concept about Splunk: apps.

Splunk apps - like the Splunk App for Windows Infrastructure - help you extend the capabilities of Splunk Enterprise. In this case, creating and deploying the app helps you extend the capability of the indexer.

Once you complete the procedure, you can use the deployment server (described in the next topic) to deliver the app to all universal forwarders in your deployment. If you need to change the configuration, you can update the app and push it out to all of the forwarders again.

App description

The "Send to Indexer" app tells the universal forwarders in a Splunk App for Windows Infrastructure deployment to send data to one or more indexers in the deployment. The app prevents you from having to make potentially erroneous configuration changes on many hosts by limiting the change to one place. It also reduces the amount of configuration you have to do on those hosts.

The app consists of a single file, outputs.conf, that controls where and how the universal forwarders send data. This topic shows you how to create the outputs.conf file, and then how to package this file into the "Send to Indexer" app. Once that is done, you then install the app on your deployment server (described in the next step of the process.)

Create the outputs.conf file

Before packaging the "Send to Indexer" app, you must first create the outputs.conf file. In this procedure, you will create a file that supports sending data to a single indexer.

  1. Open Notepad or a similar text editor.
  2. In the editor, type in the following text, substituting indexer_hostname_or_ip_address and port with the host name or IP address and receiving port of the indexer you set up in the previous step:
    [tcpout]
    defaultGroup = default-autolb-group
    
    [tcpout:default-autolb-group]
    server = <indexer_hostname_or_ip_address>:<port>
    
    [tcpout-server://<indexer_hostname_or_ip_address>:<port>]
    
  3. Save the file as outputs.conf (In Notepad, click File > Save As… and type in "outputs.conf" in the file dialog.

Note: Learn more about outputs.conf at "Configure forwarders with outputs.conf" in the core Splunk Enterprise platform documentation.

Create the "send to Indexer" app

The next step of the process is to create the app and upload the outputs.conf file you just created as an asset for the app.

  1. Log back into the indexer that you set up receiving on in "Install a Splunk Enterprise Indexer".
  2. In the system bar, on the upper left, click Apps > Manage Apps. Splunk Enterprise loads the Apps settings page.
  3. Click Add New. Splunk Enterprise loads the "Add New" page.
  4. In the Name field, enter a name for the app, for example "Send to Indexer".
  5. In the Folder field, enter "sendtoindexer".
  6. In the "Version' field, enter "1.0.0".
  7. In the Visible radio buttons, check "No."
  8. In the "Author' field, type in your name.
  9. In the Description field, type in a description for the app.
  10. In the Templates list box, choose "barebones".
  11. Click Save. Splunk Enterprise saves the app and returns you to the Apps page.

Place the outputs.conf file into the app

Finally, copy the outputs.conf file into the app:

  1. Open a PowerShell window.
  2. Type in the following:
    > Copy-Item -Path <location of outputs.conf> -Destination <Splunk directory>\etc\apps\sendtoindexer\local -Force
    

What's next?

You should now see your app in the list on the Apps page. In the next step, you will activate the deployment server and use it to deploy the app.

PREVIOUS
Install and configure a Splunk platform indexer
  NEXT
Set up a deployment server and create a server class

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 2.0.0


Comments

I just noticed Bpenn's comment on this doc.
It really could have saved me and others a LOT of time and effort if this caveat was included in the documentation. Only after having a local Splunk SE visit did I find the problem.

Carlflanagan
August 2, 2018

In Create the "send to Indexer" app, step 3, instead of "Add New", now in Splunk version 7 is shown as "Create App"

Amontoya1
April 12, 2018

Please update the documentation to delete the send_to_indexer app from the /etc/apps directory as it should only live in the /etc/deployment apps directory. Otherwise, the queues all fill up as the outputs.conf tell the Splunk Server to output data to itself causing an infinite loop and a TCPout error.

Bpenn splunk, Splunker
September 8, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters