Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.

Create the "send to indexer" app

This topic discusses how to create the "Send to indexer" app. This app tells the universal forwarders in your Splunk App for Windows Infrastructure deployment to send data to the indexer.

Why create an app?

The short answer is, to make your deployment easier.

At first it might seem like this procedure is overly complicated. Performing this step makes it easier to control where universal forwarders send data. It also helps you understand another basic concept about Splunk: apps.

Splunk apps - like the Splunk App for Windows Infrastructure - help you extend the capabilities of Splunk Enterprise. In this case, creating and deploying the app helps you extend the capability of the indexer.

Once you complete the procedure, you can use the deployment server (described in the next topic) to deliver the app to all universal forwarders in your deployment. If you need to change the configuration, you can update the app and push it out to all of the forwarders again.

App description

The "Send to Indexer" app tells the universal forwarders in a Splunk App for Windows Infrastructure deployment to send data to one or more indexers in the deployment. The app prevents you from having to make potentially erroneous configuration changes on many hosts by limiting the change to one place. It also reduces the amount of configuration you have to do on those hosts.

The app consists of a single file, outputs.conf, that controls where and how the universal forwarders send data. This topic shows you how to create the outputs.conf file, and then how to package this file into the "Send to Indexer" app. Once that is done, you then install the app on your deployment server (described in the next step of the process.)

Create the outputs.conf file

Before packaging the "Send to Indexer" app, you must first create the outputs.conf file. In this procedure, you will create a file that supports sending data to a single indexer.

  1. Open Notepad or a similar text editor.
  2. In the editor, type in the following text, substituting indexer_hostname_or_ip_address and port with the host name or IP address and receiving port of the indexer you set up in the previous step:
    [tcpout]
    defaultGroup = default-autolb-group
    
    [tcpout:default-autolb-group]
    server = <indexer_hostname_or_ip_address>:<port>
    
    [tcpout-server://<indexer_hostname_or_ip_address>:<port>]
    
  3. Save the file as outputs.conf (In Notepad, click File > Save As… and type in "outputs.conf" in the file dialog.

Note: Learn more about outputs.conf at "Configure forwarders with outputs.conf" in the core Splunk Enterprise platform documentation.

Create the "send to Indexer" app

The next step of the process is to create the app and upload the outputs.conf file you just created as an asset for the app.

  1. Log back into the indexer that you set up receiving on in "Install a Splunk Enterprise Indexer".
  2. In the system bar, on the upper left, click Apps > Manage Apps. Splunk Enterprise loads the Apps settings page.
  3. Click Add New. Splunk Enterprise loads the "Add New" page.
  4. In the Name field, enter a name for the app, for example "Send to Indexer".
  5. In the Folder field, enter "sendtoindexer".
  6. In the "Version' field, enter "1.0.0".
  7. In the Visible radio buttons, check "No."
  8. In the "Author' field, type in your name.
  9. In the Description field, type in a description for the app.
  10. In the Templates list box, choose "barebones".
  11. Click Save. Splunk Enterprise saves the app and returns you to the Apps page.

Place the outputs.conf file into the app

Finally, copy the outputs.conf file into the app:

  1. Open a PowerShell window.
  2. Type in the following:
    > Copy-Item -Path <location of outputs.conf> -Destination <Splunk directory>\etc\apps\sendtoindexer\local -Force
    

What's next?

You should now see your app in the list on the Apps page. In the next step, you will activate the deployment server and use it to deploy the app.

Last modified on 13 July, 2018
Install and configure a Splunk platform indexer   Set up a deployment server and create a server class

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters