Create the "send to indexer" app
This topic discusses how to create the "Send to indexer" app. This app tells the universal forwarders in your Splunk App for Windows Infrastructure deployment to send data to the indexer.
Why create an app?
The short answer is, to make your deployment easier.
At first it might seem like this procedure is overly complicated. Performing this step makes it easier to control where universal forwarders send data. It also helps you understand another basic concept about Splunk: apps.
Splunk apps - like the Splunk App for Windows Infrastructure - help you extend the capabilities of Splunk Enterprise. In this case, creating and deploying the app helps you extend the capability of the indexer.
Once you complete the procedure, you can use the deployment server (described in the next topic) to deliver the app to all universal forwarders in your deployment. If you need to change the configuration, you can update the app and push it out to all of the forwarders again.
The "Send to Indexer" app tells the universal forwarders in a Splunk App for Windows Infrastructure deployment to send data to one or more indexers in the deployment. The app prevents you from having to make potentially erroneous configuration changes on many hosts by limiting the change to one place. It also reduces the amount of configuration you have to do on those hosts.
The app consists of a single file,
outputs.conf, that controls where and how the universal forwarders send data. This topic shows you how to create the outputs.conf file, and then how to package this file into the "Send to Indexer" app. Once that is done, you then install the app on your deployment server (described in the next step of the process.)
Create the outputs.conf file
Before packaging the "Send to Indexer" app, you must first create the
outputs.conf file. In this procedure, you will create a file that supports sending data to a single indexer.
- Open Notepad or a similar text editor.
- In the editor, type in the following text, substituting
portwith the host name or IP address and receiving port of the indexer you set up in the previous step:
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = <indexer_hostname_or_ip_address>:<port> [tcpout-server://<indexer_hostname_or_ip_address>:<port>]
- Save the file as
outputs.conf(In Notepad, click File > Save As… and type in "outputs.conf" in the file dialog.
Note: Learn more about outputs.conf at "Configure forwarders with outputs.conf" in the core Splunk Enterprise platform documentation.
Create the "send to Indexer" app
The next step of the process is to create the app and upload the
outputs.conf file you just created as an asset for the app.
- Log back into the indexer that you set up receiving on in "Install a Splunk Enterprise Indexer".
- In the system bar, on the upper left, click Apps > Manage Apps. Splunk Enterprise loads the Apps settings page.
- Click Add New. Splunk Enterprise loads the "Add New" page.
- In the Name field, enter a name for the app, for example "Send to Indexer".
- In the Folder field, enter "sendtoindexer".
- In the "Version' field, enter "1.0.0".
- In the Visible radio buttons, check "No."
- In the "Author' field, type in your name.
- In the Description field, type in a description for the app.
- In the Templates list box, choose "barebones".
- Click Save. Splunk Enterprise saves the app and returns you to the Apps page.
Place the outputs.conf file into the app
Finally, copy the
outputs.conf file into the app:
- Open a PowerShell window.
- Type in the following:
> Copy-Item -Path <location of outputs.conf> -Destination <Splunk directory>\etc\apps\sendtoindexer\local -Force
You should now see your app in the list on the Apps page. In the next step, you will activate the deployment server and use it to deploy the app.
Install and configure a Splunk platform indexer
Set up a deployment server and create a server class
This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3