Create the "send to indexer" app
This topic discusses how to create the "Send to indexer" app. This app tells the universal forwarders in your Splunk App for Microsoft Exchange deployment to send data to the indexer.
Why create an app?
The short answer is, to make your deployment easier.
At first it might seem like this procedure is overly complicated. Performing this step makes it easier to control where universal forwarders send data. It also helps you understand another basic concept about Splunk: apps.
Splunk apps - like the Splunk App for Microsoft Exchange - help you extend the capabilities of Splunk Enterprise. In this case, creating and deploying the app helps you extend the capability of the indexer.
Once you complete the procedure, you can use the deployment server (described in the next topic) to deliver the app to all universal forwarders in your deployment. If you need to change the configuration, you can update the app and push it out to all of the forwarders again.
App description
The "Send to Indexer" app tells the universal forwarders in a Splunk App for Microsoft Exchange deployment to send data to one or more indexers in the deployment. The app prevents you from having to make potentially erroneous configuration changes on many hosts by limiting the change to one place. It also reduces the amount of configuration you have to do on those hosts.
The app consists of a single file, outputs.conf
, that controls where and how the universal forwarders send data. This topic shows you how to create the outputs.conf file, and then how to package this file into the "Send to Indexer" app. Once that is done, you then install the app on your deployment server (described in the next step of the process.)
Create the outputs.conf file
Before packaging the "Send to Indexer" app, you must first create the outputs.conf
file. In this procedure, you will create a file that supports sending data to a single indexer.
To learn more about outputs.conf, see Configure forwarders with outputs.conf in the Forwarding Manual.
- Open Notepad or a similar text editor.
- In the editor, type in the following text, substituting
indexer_hostname_or_ip_address
andport
with the host name or IP address and receiving port of the indexer you set up in the previous step.
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = <indexer_hostname_or_ip_address>:<port> [tcpout-server://<indexer_hostname_or_ip_address>:<port>]
- Save the file as
outputs.conf
(In Notepad, click File > Save As… and type in "outputs.conf" in the file dialog.
Create the "send to Indexer" app
The next step of the process is to create the app and upload the outputs.conf
file you just created as an asset for the app.
- Log back into the indexer that you set up receiving on in "Install a Splunk Enterprise Indexer".
- In the system bar, on the upper left, click Apps > Manage Apps. Splunk Enterprise loads the Apps settings page.
- Click Add New. Splunk Enterprise loads the "Add New" page.
- In the Name field, enter a name for the app, for example "Send to Indexer".
- In the Folder field, enter "sendtoindexer".
- In the Version field, enter "1.0.0".
- In the Visible radio buttons, check "No."
- In the Author field, type in your name.
- In the Description field, type in a description for the app.
- In the Templates list box, choose "barebones".
- Click Save. Splunk Enterprise saves the app and returns you to the Apps page.
Place the outputs.conf file into the app
Finally, copy the outputs.conf
file into the app:
- Open a PowerShell window.
- Type in the following:
> Copy-Item -Path <location of outputs.conf> -Destination <Splunk directory>\etc\apps\sendtoindexer\local -Force
Next Steps
You should now see your app in the list on the Apps page. In the next step, you will activate the deployment server and use it to deploy the app.
Install and configure a Splunk Enterprise Indexer | Set up a deployment server and create a server class |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3
Feedback submitted, thanks!