first commit

Deployment_Server

@@ -0,0 +1 @@
+Subproject commit d4d9f57a05b0e766ab37702728e9325bc5572ff3

Splunk_Install/Apps_for_DS/01-Conf_license_slave/default/app.conf

@@ -0,0 +1,11 @@
+        [launcher]
+        version = 1.0.0
+        author =  VABOS
+        description = Configure instance as License Slave
+
+        [package]
+        id = Conf_license_slave
+
+
+        [ui]
+        is_visible = false

Splunk_Install/Apps_for_DS/01-Conf_license_slave/default/server.conf

@@ -0,0 +1,9 @@
+        # In distributed environments, it's common to have a lone search head acting
+        # as the license master as well. In this configuration, providing the URI
+        # of the license master is easiest within the indexer_base configuration.
+        # In the event that there are multiple search heads, you could instead use
+        # the org_all_license app, shipped to the non-license SH, as well as all of
+        # the indexers. In either event, the settings are the same.
+
+        [license]
+        master_uri = https://SVLCTMLOGCLM01.unit-c.edf.fr:8089

Splunk_Install/Apps_for_DS/01-Conf_license_slave/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/01-idx_kvstore_base/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author =  VABOS
+description = Disable Kvstore on Indexers
+
+[package]
+id = edf_idx_kvstore_base
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/01-idx_kvstore_base/default/server.conf

@@ -0,0 +1,4 @@
+# kvstore not needed on indexers, let's disable it
+# even when distributing collection via bundle, it won't be used on indexer as this use lookups in the background
+[kvstore]
+disabled = true

Splunk_Install/Apps_for_DS/01-idx_kvstore_base/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/01-idx_receiver_port/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author =  VABOS
+description = Enable receiving on Indexer layer
+
+[package]
+id = edf_idx_receiver_port
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/01-idx_receiver_port/default/inputs.conf

@@ -0,0 +1 @@
+[splunktcp://9997]

Splunk_Install/Apps_for_DS/01-idx_receiver_port/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/01-idx_volume_indexes/default/app.conf

@@ -0,0 +1,11 @@
+
+[launcher]
+version = 1.0.0
+author = VABOS
+description = Contient la configuration des volumes de données
+
+[package]
+id = edf_idx_volume_indexes
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/01-idx_volume_indexes/default/indexes.conf

@@ -0,0 +1,7 @@
+[volume:primary]
+path = /data/splunk_data
+maxVolumeDataSizeMB = 60000
+
+[volume:secondary]
+path = /data_cold/splunk_data
+maxVolumeDataSizeMB = 240000

Splunk_Install/Apps_for_DS/01-idx_volume_indexes/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/01-idx_volume_indexes/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/01-idx_web_base/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author = Mattys Hervé (OBS)
+description = Disable Web access on Indexers
+
+[package]
+id = odin_idx_web_base
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/01-idx_web_base/default/web.conf

@@ -0,0 +1,12 @@
+# In larger environments, where there are more than, say, three indexers,
+# it's common to disable the Splunk UI. This helps avoid configuration issues
+# caused by logging in to the UI to do something directly via the manager,
+# as well as saving some system resources.
+
+[settings]
+ startwebserver = 0
+
+# avoid timeout when indexer loaded 
+splunkdConnectionTimeout = 120
+
+

Splunk_Install/Apps_for_DS/01-idx_web_base/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/02-M-TIC_all_forwarding_outputs/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0
+author =  VABOS
+description = Enable forwarding to Indexer layer
+
+[package]
+id = m-tic_all_forwarding_outputs
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/02-M-TIC_all_forwarding_outputs/default/outputs.conf

@@ -0,0 +1,12 @@
+# BASE SETTINGS
+
+[tcpout]
+# Change here to specify the indexer group
+defaultGroup = m-tic_indexer
+maxQueueSize = 7MB
+useACK = true
+forceTimebasedAutoLB = true
+
+[tcpout:m-tic_indexer]
+server =  SVLCTMLOGIDX01.unit-c.edf.fr:9997, SVLCTMLOGIDX02.unit-c.edf.fr:9997
+~

Splunk_Install/Apps_for_DS/02-M-TIC_all_forwarding_outputs/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/02-M-TIC_catchall_forwarders_inputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_catchall_forwarders_inputs/local/inputs.conf

@@ -0,0 +1,4 @@
+[monitor:///var/rsyslog/*/catchother/*/*/*.log]
+disabled = false
+index = idx_m-tic_catchall
+sourcetype = catchall

Splunk_Install/Apps_for_DS/02-M-TIC_catchall_forwarders_inputs/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/02-M-TIC_cisco_forwarders_inputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_cisco_forwarders_inputs/local/inputs.conf

@@ -0,0 +1,4 @@
+[monitor:///var/rsyslog/*/cisco/.../*.log]
+disabled = false
+index = idx_m-tic_cisco
+sourcetype = cisco

Splunk_Install/Apps_for_DS/02-M-TIC_cisco_forwarders_inputs/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_forwarder_outputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_update = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_forwarder_outputs/local/outputs.conf

@@ -0,0 +1,12 @@
+[tcpout]
+defautlGroup = primary_indexers
+maxQueuSize = 100MB
+useACK = true
+forceTimebaseAutoLB = true
+forwardedindex.2.whitelist = (_audit|_introspection|_internal)
+
+[tcpout:primary_indexers]
+server = SVLCTMLOGIDX01.unit-c.edf.fr:9997, SVLCTMLOGIDX02.unit-c.edf.fr:9997
+
+#clientCert = $SPLUNK_HOME/etc/auth/server.pem
+#sslPassword = 

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_forwarder_outputs/local/server.conf

@@ -0,0 +1,2 @@
+[sslConfig]
+sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_master_base/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author =  VABOS
+description = Configure Cluster Master
+
+[package]
+id = M-TIC_cluster_master_base
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_master_base/default/distsearch.conf

@@ -0,0 +1,19 @@
+[distributedSearch:dmc_group_search_head]
+servers = localhost:localhost
+[distributedSearch:dmc_group_cluster_master]
+
+
+[distributedSearch:dmc_group_license_master]
+
+[distributedSearch:dmc_group_deployment_server]
+
+[distributedSearch:dmc_group_indexer]
+default = false
+servers = SVLCTMLOGIDX01.unit-c.edf.fr:8089,SVLCTMLOGIDX02.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_group_shc_deployer]
+
+[distributedSearch:dmc_group_kv_store]
+
+[distributedSearch:dmc_indexerclustergroup_Cluster_M-TIC]
+servers = localhost:localhost,SVLCTMLOGIDX01.unit-c.edf.fr:8089,SVLCTMLOGIDX02.unit-c.edf.fr:8089

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_master_base/default/server.conf

@@ -0,0 +1,5 @@
+[clustering]
+cluster_label = Cluster_M-TIC
+mode = master
+pass4SymmKey = $7$iQ3wl+w1tMlCZXopQ/BDXHv8e+xGXGR10mvQYOiCdPxZuIkKX87oMm85MSkitkPk3PYW2Qhjc/kSMq2B5M0=
+replication_factor = 2

Splunk_Install/Apps_for_DS/02-M-TIC_cluster_master_base/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/02-M-TIC_deployer_base/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_update = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_deployer_base/local/server.conf

@@ -0,0 +1,3 @@
+[shclustering]
+pass4SymmKey = $7$iQ3wl+w1tMlCZXopQ/BDXHv8e+xGXGR10mvQYOiCdPxZuIkKX87oMm85MSkitkPk3PYW2Qhjc/kSMq2B5M0=
+shcluster_label = M-TIC_shcluster

Splunk_Install/Apps_for_DS/02-M-TIC_esxi_forwarders_inputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_esxi_forwarders_inputs/local/inputs.conf

@@ -0,0 +1,4 @@
+[monitor:///var/rsyslog/*/esxi/*/*/*.log]
+disabled = false
+index = idx_m-tic_esxi
+sourcetype = esxi

Splunk_Install/Apps_for_DS/02-M-TIC_esxi_forwarders_inputs/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/02-M-TIC_fortigate_forwarders_inputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_fortigate_forwarders_inputs/local/inputs.conf

@@ -0,0 +1,4 @@
+[monitor:///var/rsyslog/*/fortigate/*/*/*.log]
+disabled = false
+index = idx_m-tic_fortigate
+sourcetype = fortigate

Splunk_Install/Apps_for_DS/02-M-TIC_fortigate_forwarders_inputs/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/02-M-TIC_idx_cluster_base/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author =  VABOS
+description = Configure default clustering options on Indexers
+
+[package]
+id = M-TIC_idx_cluster_base
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/02-M-TIC_idx_cluster_base/default/fields.conf

@@ -0,0 +1,2 @@
+[edfZone]
+INDEXED = true

Splunk_Install/Apps_for_DS/02-M-TIC_idx_cluster_base/default/server.conf

@@ -0,0 +1,6 @@
+[replication_port://9100]
+
+[clustering]
+manager_uri = https://SVLCTMLOGCLM01.unit-c.edf.fr:8089
+mode = peer
+pass4SymmKey = $7$iQ3wl+w1tMlCZXopQ/BDXHv8e+xGXGR10mvQYOiCdPxZuIkKX87oMm85MSkitkPk3PYW2Qhjc/kSMq2B5M0=

Splunk_Install/Apps_for_DS/02-M-TIC_idx_cluster_base/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/02-M-TIC_idx_indexes_base/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author =  VABOS
+description = Configure default optimisation on Indexers
+
+[package]
+id = edf_idx_indexes_base
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/02-M-TIC_idx_indexes_base/default/indexes.conf

@@ -0,0 +1,65 @@
+[default]
+thawedPath = $SPLUNK_DB/$_index_name/thaweddb
+coldPath = volume:secondary/$_index_name/colddb
+homePath = volume:primary/$_index_name/db
+tstatsHomePath = volume:primary/$_index_name/datamodel_summary
+tsidxWritingLevel = 4
+journalCompression = zstd
+enableDataIntegrityControl = 0
+enableTsidxReduction = 0
+archiver.enableDataArchive = 0
+bucketRebuildMemoryHint = 1
+compressRawdata = 1
+enableOnlineBucketRepair = 1
+rtRouterQueueSize =
+rtRouterThreads =
+selfStorageThreads =
+suspendHotRollByDeleteQuery = 0
+syncMeta = 1
+
+[idx_m-tic_windows]
+
+[idx_m-tic_fortigate]
+
+[idx_m-tic_linux]
+
+[idx_m-tic_esxi]
+
+[vmware-esxilog]
+
+[vmware-perf-metrics]
+datatype = metric
+
+[vmware-inv]
+
+[vmware-taskevent]
+
+[vmware-vclog]
+
+[idx_m-tic_alcatel]
+
+[idx_m-tic_cisco]
+
+[idx_m-tic_switch]
+
+[idx_m-tic_catchall]
+
+[idx_m-tic_catchother]
+
+[idx_m-tic_other]
+
+[idx_m-tic_glpi]
+
+[idx_m-tic_glpi_vm]
+
+[idx_m-tic_glpi_kb]
+
+[idx_m-tic_glpi_sep]
+
+[idx_m-tic_glpi_obsolescence]
+
+[idx_m-tic_genetec_sc]
+
+[idx_ldap]
+
+[idx_m-tic_synology]

Splunk_Install/Apps_for_DS/02-M-TIC_idx_indexes_base/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/02-M-TIC_linux_forwarders_inputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_linux_forwarders_inputs/local/inputs.conf

@@ -0,0 +1,5 @@
+[monitor:///var/rsyslog/*/linux/.../*.log]
+disabled = 0
+host_segment = 6
+index = idx_m-tic_linux
+sourcetype = syslog_linux

Splunk_Install/Apps_for_DS/02-M-TIC_linux_forwarders_inputs/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/02-M-TIC_sh_cluster_base/default/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_sh_cluster_base/default/server.conf

@@ -0,0 +1,17 @@
+[clustering]
+mode = searchhead
+manager_uri = clustermanager:one
+
+[clustermanager:one]
+manager_uri = https://SVLCTMLOGCLM01.unit-c.edf.fr:8089
+pass4SymmKey = $7$S9wq9h/bAbFgNYLo/9vsjHEwpY2z8IkPYQ663LGXb6cLu5YmhyEQnSS3+7jNTRzFBQ==
+multisite = false
+
+[shclustering]
+shcluster_label = M-TIC_shcluster
+conf_deploy_fetch_url = https://SVLCTMLOGSUP01.unit-c.edf.fr:8089
+pass4SymmKey = $7$S9wq9h/bAbFgNYLo/9vsjHEwpY2z8IkPYQ663LGXb6cLu5YmhyEQnSS3+7jNTRzFBQ==
+
+[httpServer]
+maxThreads = 150000
+maxSockets = 250000

Splunk_Install/Apps_for_DS/02-M-TIC_sh_cluster_base/metadata/default.meta

@@ -0,0 +1,3 @@
+[]
+acces = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/02-M-TIC_sh_idxcluster_base/default/app.conf

@@ -0,0 +1,11 @@
+[launcher]
+version = 1.0.0
+author = VABOS
+description = Configure Search Head for IDX Clustering
+
+[package]
+id = M-TIN_sh_idxcluster_base
+
+
+[ui]
+is_visible = false

Splunk_Install/Apps_for_DS/02-M-TIC_sh_idxcluster_base/default/server.conf

@@ -0,0 +1,9 @@
+[general]
+site = site2
+
+[clustering]
+multisite = true
+master_uri = https://SVLCTMLOGCLM01.unit-c.edf.fr:8089
+mode = searchhead
+pass4SymmKey = $7$i7IqoiyC1DpnVbSVtwGzuVTO5rmVyPCI2CMacpHEFs3N2oFAaF0EJ049Otza
+

Splunk_Install/Apps_for_DS/02-M-TIC_sh_idxcluster_base/local/app.conf

@@ -0,0 +1 @@
+# Autogenerated file 

Splunk_Install/Apps_for_DS/02-M-TIC_sh_volume_indexes/default/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_update = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_sh_volume_indexes/default/indexes.conf

@@ -0,0 +1,6 @@
+# One Volume for Hot and Cold
+[volume:primary]
+path = /opt/splunk/var/lib/splunk
+
+[volume:secondary]
+path = /opt/splunk/var/lib/splunk

Splunk_Install/Apps_for_DS/02-M-TIC_windows_forwarders_inputs/local/app.conf

@@ -0,0 +1,9 @@
+[install]
+state = enabled
+
+[package]
+check_for_updates = false
+
+[ui]
+is_visible = false
+is_manageable = false

Splunk_Install/Apps_for_DS/02-M-TIC_windows_forwarders_inputs/local/inputs.conf

@@ -0,0 +1,7 @@
+[WinEventLog]
+interval=60
+evt_resolve_ad_obj = 0
+evt_dc_name=
+evt_dns_name=
+index = idx_m-tic_windows
+sourcetype = events_windows

Splunk_Install/Apps_for_DS/02-M-TIC_windows_forwarders_inputs/metadata/local.meta

@@ -0,0 +1,3 @@
+[]
+access = read : [ * ], write : [ admin ]
+export = system

Splunk_Install/Apps_for_DS/For_MC/local/distsearch.conf

@@ -0,0 +1,27 @@
+[distributedSearch]
+servers = https://SVLCTMLOGCLM01.unit-c.edf.fr:8089,https://SVLCTMLOGPUB01.unit-c.edf.fr:8089,https://SVLCTMLOGPUB02.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_group_deployment_server]
+servers = localhost:localhost
+
+[distributedSearch:dmc_group_kv_store]
+servers = SVLCTMLOGCLM01.unit-c.edf.fr:8089,SVLCTMLOGPUB01.unit-c.edf.fr:8089,SVLCTMLOGPUB02.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_group_license_master]
+servers = SVLCTMLOGCLM01.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_group_shc_deployer]
+servers = localhost:localhost
+
+[distributedSearch:dmc_group_cluster_master]
+servers = SVLCTMLOGCLM01.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_group_indexer]
+default = true
+servers = SVLCTMLOGIDX01.unit-c.edf.fr:8089,SVLCTMLOGIDX02.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_group_search_head]
+servers = SVLCTMLOGCLM01.unit-c.edf.fr:8089,SVLCTMLOGPUB01.unit-c.edf.fr:8089,SVLCTMLOGPUB02.unit-c.edf.fr:8089
+
+[distributedSearch:dmc_searchheadclustergroup_Cluster_SH_M-TIC]
+servers = localhost:localhost,SVLCTMLOGPUB01.unit-c.edf.fr:8089,SVLCTMLOGPUB02.unit-c.edf.fr:8089

Splunk_Install/Apps_for_DS/splunk_monitoring_console/local/splunk_monitoring_console_assets.conf

@@ -0,0 +1,3 @@
+[settings]
+disabled = 0
+configuredPeers = SVLCTMLOGPUB01.unit-c.edf.fr:8089,SVLCTMLOGPUB02.unit-c.edf.fr:8089,SVLCTMLOGIDX01.unit-c.edf.fr:8089,SVLCTMLOGIDX02.unit-c.edf.fr:8089,SVLCTMLOGCLM01.unit-c.edf.fr:8089,SVLCTMLOGCLM01.unit-c.edf.fr:8089

Splunk_Install/Apps_for_Splunk/01-Conf_ServerClass/local/serverclass.conf

@@ -0,0 +1,35 @@
+[global]
+crossServerChecksum = false
+repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
+targetRepositoryLocation = $SPLUNK_HOME/etc/apps
+tmpFolder = $SPLUNK_HOME/var/run/tmp
+
+stateOnClient = enabled
+
+restartSplunkWeb = False
+restartSplunkd = False
+issueReload = false
+continueMatching = true
+endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$serverClassName$:$appName$
+
+filterType = whitelist
+
+[serverClass:Licence_Master_TIC]
+
+[serverClass:Cluster_Master_TIC]
+
+[serverClass:Cluster_Indexer_TIC]
+
+[serverClass:Cluster_SH_TIC]
+
+[serverClass:Forwarder_Linux_TIC]
+
+[serverClass:Forwarder_Windows_TIC]
+
+[serverClass:Cluster_Master_TIH]
+
+[serverClass:Cluster_Indexer_TIH]
+
+[serverClass:Forwarder_Linux_TIH]
+
+[serverClass:Forwarder_Windows_TIH]

Splunk_Install/Apps_for_Splunk/01-Conf_deploy_client/local/deploymentclient.conf

@@ -0,0 +1,5 @@
+[target-broker:deploymentServer]
+targetUri = https://SVLCTMLOGSUP01.unit-c.edf.fr:8089
+
+[deployment-client]
+disabled = 0

Splunk_Install/Apps_for_Splunk/IDN-Conf_Proxy_Forwarder/local/app.conf

@@ -0,0 +1,10 @@
+[launcher]
+version = 1.0.0
+author = OB
+description = Configuration Proxy IDN
+[package]
+id = IDN-Conf_Proxy_forwarder
+[ui]
+is_visible = false
+[install]
+state = enabled

Splunk_Install/Apps_for_Splunk/IDN-Conf_Proxy_Forwarder/local/deploymentclient.conf

@@ -0,0 +1,2 @@
+[target-broker:deploymentServer]
+targetUri = https://80.205.212.20:8089

Splunk_Install/Apps_for_Splunk/IDN-Conf_Proxy_Forwarder/local/server.conf

@@ -0,0 +1,2 @@
+[proxyConfig]
+https_proxy = https://80.205.212.20:8089

Splunk_Install/Config_Rsyslog/01-Splunk_Forwarder-IDN_Lyon.conf

@@ -0,0 +1,110 @@
+# Configuration rsyslog pour utiliser avec un Splunk Forwarder a copier dans /etc/rsyslog.d
+
+#--------------------------Modules-----------------------------
+
+$ModLoad imudp
+$ModLoad imtcp
+
+#--------------------------Protocoles--------------------------
+
+$UDPServerRun 514
+$UDPServerRun 5140
+$InputTCPServerRun 514
+
+#--------------------------Folder------------------------------
+
+$DirCreateMode 0755
+$FileCreateMode 0640
+$DirOwner splunk
+$DirGroup splunk
+$FileOwner splunk
+$FileGroup splunk
+
+$RuleSet RSYSLOG_DefaultRuleSet
+
+#--------------------------Templates---------------------------
+
+# Template pour Fortigate
+template(name="fortigate" type="string" string="/var/rsyslog/%$myhostname%/fortigate/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+# Template pour ESXi
+template(name="esxi" type="string" string="/var/rsyslog/%$myhostname%/esxi/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+# Template pour Linux
+template(name="linux" type="string" string="/var/rsyslog/%$myhostname%/linux/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+# Template pour Switch alcatel
+template(name="alcatel_omniswitch" type="string" string="/var/rsyslog/%$myhostname%/alcatel_omniswitch/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%/%syslogfacility-text%.log")
+
+# Template pour ILO
+template(name="ilo" type="string" string="/var/rsyslog/%$myhostname%/ilo/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+# Template pour les equipement réseau
+template(name="network" type="string" string="/var/rsyslog/%$myhostname%/network/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+# Template pour iDRAC
+template(name="idrac" type="string" string="/var/rsyslog/%$myhostname%/idrac/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+# Template Catch-All
+template(name="catchall" type="string" string="/var/rsyslog/%$myhostname%/catchall/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log")
+
+#-------------------------Filtres et Actions------------------------------
+
+# Fortigate (identifié par 'devid="FG' dans le message)
+if $msg contains_i ' devid="FG' then {
+  action(type="omfile" dynaFile="fortigate")
+  stop
+}
+
+# ESXi (hôte commençant par 'spv')
+if $fromhost startswith "spv" then {
+  action(type="omfile" dynaFile="esxi")
+  stop
+}
+
+# Linux (hôte ou nom contenant 'svl')
+if $fromhost startswith "svl" or $hostname contains 'svl' then {
+  action(type="omfile" dynaFile="linux")
+  stop
+}
+
+# Cisco ASA (identifié par '%ASA' dans le tag syslog)
+if $syslogtag contains '%ASA' then {
+  action(type="omfile" dynaFile="network")
+  stop
+}
+
+# ILO (identifié par 'ILO' dans le message)
+if $msg contains_i "ILO" then {
+  action(type="omfile" dynaFile="ilo")
+  stop
+}
+
+# iDRAC (nom d'hôte contenant 'IDR')
+if $hostname contains_i "IDR" then {
+  action(type="omfile" dynaFile="idrac")
+  stop
+}
+
+# Réseau spécifique
+if ($fromhost-ip startswith '223.90.0' or $fromhost-ip startswith '223.94.0') then {
+  action(type="omfile" dynaFile="alcatel_omniswitch")
+  stop
+}
+
+# Catch-All (tous les autres logs)
+if $fromhost != $$myhostname then {
+  action(type="omfile" dynaFile="catchall")
+  stop
+}
+
+#----------------------- Options additionnelles -----------------------
+
+# Utilisation d'une file d'attente asynchrone pour améliorer les performances
+# Permet d'assurer un traitement non bloquant des logs en cas de surcharge
+$ActionQueueType LinkedList   # Type de queue : liste chaînée (asynchrone)
+$ActionQueueFileName syslogqueue  # Nom du fichier de queue
+$ActionResumeRetryCount -1    # Retenter indéfiniment si le serveur de logs est indisponible
+
+# Utilisation du format Syslog Protocol 23 (compatibilité maximale)
+$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format

Splunk_Install/Config_Rsyslog/01-Splunk_Forwarder.conf

@@ -0,0 +1,78 @@
+# Configuration rsyslog pour utiliser avec un Splunk Forwarder a copier dans /etc/rsyslog.d
+
+#--------------------------Modules-----------------------------
+
+$ModLoad imudp
+$ModLoad imtcp
+
+#--------------------------Protocoles--------------------------
+
+$UDPServerRun 514
+$UDPServerRun 5140
+$InputTCPServerRun 514
+
+#--------------------------Folder------------------------------
+
+$DirCreateMode 0755
+$FileCreateMode 0640
+$DirOwner splunk
+$DirGroup splunk
+$FileOwner splunk
+$FileGroup splunk
+
+$RuleSet RSYSLOG_DefaultRuleSet
+
+#--------------------------Templates---------------------------
+
+#Template Cisco
+$template ciscoasa,"/var/rsyslog/%$myhostname%/ciscoasa/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Fortigate
+$template fortigate,"/var/rsyslog/%$myhostname%/fortigate/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Esxi
+$template esxi,"/var/rsyslog/%$myhostname%/esxi/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Linux
+$template linux,"/var/rsyslog/%$myhostname%/linux/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Template Switch
+$template switch,"/var/rsyslog/%$myhostname%/switch/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Templates ILO
+$template ilo,"/var/rsyslog/%$myhostname%/ilo/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#Templates iDRAC
+$template ilo,"/var/rsyslog/%$myhostname%/idrac/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+# Catch All
+$template catchother,"/var/rsyslog/%$myhostname%/catchother/%$YEAR%-%$MONTH%-%$DAY%/%HOSTNAME%/%syslogfacility-text%.log"
+
+#-------------------------Filtres------------------------------
+
+if $msg contains_i ' devid="FG' then -?fortigate
+& stop
+
+if $fromhost startswith "spv" then -?esxi
+& stop
+
+if $fromhost startswith "svl" then -?linux
+& stop
+
+if $hostname contains 'svl' then -?linux
+& stop
+
+if $hostname contains 'SWI' then -?switch
+& stop
+
+if $syslogtag contains '%ASA' then -?ciscoasa
+& stop
+
+if $msg contains_i "ILO" then -?ilo
+& stop
+
+if $hostname contains_i "IDR" then -?idrac
+& stop
+
+if $fromhost != $$myhostname then -?catchother
+& stop

Splunk_Install/Keys_public/SVLCTMLOGSUP01.unit-c.edf.fr/trusted.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKYWpilaQTRB1A19lN3W
+lnN9B8VTZOzZWMTOf0v8vk0SqTkrh4DSGYp0ikNcEG1ECAF+Gc5RxsaiKm3YuHa7
+lR5jcGguIv/rPIQSS25fPmYN6eddGx6iupcyQxatMFW5QZVjmCcxvorrRlqgNLhr
+CYhb3EoEQDO79yWTGf8pH5WUg+hI2jWinhUJqKflz/K+IH1u9iKuWmMXjHJR7O+/
+QX+t0t3vTR2XIbLU4kTUR0XKb8q8pUY8ew0F3chkJY4pKcKCdELioakWZEcf0Pcx
+Qt3H5MHSU1K5WD8xYfOmY/HOpWUuDHO31jpqnaCv4gJShELfA6ECGPD2QVxn6RcS
+EwIDAQAB
+-----END PUBLIC KEY-----

Splunk_Install/common/handlers/restart_splunk.yml

@@ -0,0 +1,37 @@
+---
+- name: "Retrieve PID 1 process information (Linux)"
+  command: "ps 1"
+  register: pid1
+  when:
+    - ansible_system is match("Linux")
+    - pid1 is not defined
+
+- name: "Restart the splunkd service - Via CLI"
+  command: "{{ splunk_exec }} restart --answer-yes --accept-license"
+  become: yes
+  become_user: "{{ splunk_user }}"
+  register: task_result
+  until: task_result.rc == 0
+  retries: 3
+  delay: "{{ delay_num }}"
+  when: not splunk_enable_service
+
+- name: "Restart the splunkd service - Via systemd"
+  service:
+    name: "{% if pid1.stdout.find('systemd') != -1 %}Splunkd{% else %}splunk{% endif %}"
+    state: restarted
+  when:
+    - splunk_enable_service
+    - ansible_system is match("Linux")
+  become: yes
+  become_user: "{{ privileged_user }}"
+
+- name: "Restart the splunkd service - Via windows system"
+  win_service:
+    name: splunkd
+    state: restarted
+  when: splunk_enable_service and not ansible_system is match("Linux")
+
+- name: "Wait for splunkd management port"
+  wait_for:
+    port: "{{ splunk_svc_port }}"

Splunk_Install/common/tasks/apply_dmc_trusted_pem.yml

@@ -0,0 +1,29 @@
+---
+- name: Get DMC Name
+  set_fact:
+    dmc_name: "{{ hostvars[groups.splunk_monitoring_console[0]].inventory_hostname_short }}"
+  when: not splunk_single_instance
+
+- name: "Ensure that {{ dest_path }} exists"
+  file:
+    path: "{{ splunk_home }}/etc/{{ dest_path | dirname }}"
+    state: directory
+    recurse: yes
+    group: "{{ splunk_group }}"
+    owner: "{{ splunk_user }}"
+  ignore_errors: true
+  vars:
+    dest_path: "auth/distServerKeys/{{ dmc_name }}/"
+  become: yes
+  become_user: "{{ splunk_user }}"
+  when: not splunk_single_instance
+
+- name: Copy trusted.pem to server
+  copy:
+    src: "/tmp/trusted.pem"
+    dest: "{{ splunk_home }}/etc/auth/distServerKeys/{{ dmc_name }}/trusted.pem"
+    group: "{{ splunk_group }}"
+    owner: "{{ splunk_user }}"
+  become: yes
+  become_user: "{{ splunk_user }}"
+  when: not splunk_single_instance

Splunk_Install/common/tasks/create_app_via_template.yml

@@ -0,0 +1,47 @@
+---
+- name: Default files added to the list
+  set_fact:
+    app_configs:
+      - template_path: "{{ playbook_dir }}/common/templates/app.j2"
+        template_output_path: "app.conf"
+
+- name: Ensure that all local paths exists
+  file:
+    path: "{{ playbook_dir }}/splunk_apps/base_apps/{{ app_name }}/local"
+    state: directory
+    recurse: yes
+    force: true
+  ignore_errors: true
+  loop:  "{{ configs|flatten + app_configs | flatten }}"
+
+- name: Apply provided template.j2 on the provided target file
+  template:
+    src: "{{ item.template_path }}"
+    dest: "{{ playbook_dir }}/splunk_apps/base_apps/{{ app_name }}/local/{{ item.template_output_path }}"
+    force: true
+  loop: "{{ configs|flatten +  app_configs | flatten }}"
+
+- name: Ensure that all custom paths exists
+  file:
+    path: "{{ playbook_dir }}/splunk_apps/base_apps/{{ app_name }}/{{ item.dest_dir }}"
+    state: directory
+    recurse: yes
+    force: true
+  ignore_errors: true
+  loop: "{{ files |flatten }}"
+  when: files is defined
+
+- name: Copy specific files to their local dir
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ playbook_dir }}/splunk_apps/base_apps/{{ app_name }}/{{ item.dest_dir }}"
+    force: true
+  loop: "{{ files |flatten }}"
+  when: files is defined
+
+- name: Copy app to the different Splunk Topology
+  copy:
+    src: "{{ playbook_dir }}/splunk_apps/base_apps/{{ app_name }}"
+    dest: "{{ playbook_dir }}/splunk_apps/{{ item }}/"
+    force: yes
+  loop: "{{ splunk_target_topology }}"

Splunk_Install/common/tasks/disable_dmc.yml

@@ -0,0 +1,10 @@
+
+- name: "disable dmc on client instances"
+  ini_file:
+    dest: "{{ splunk_home }}/etc/apps/splunk_monitoring_console/local/app.conf"
+    section: install
+    option: "state"
+    value: "disabled"
+  become: yes
+  become_user: "{{ splunk_user }}"
+  when: "{{ groups.splunk_monitoring_console | length |int }} >= 1"

Splunk_Install/common/tasks/set_certificate_prefix.yml

@@ -0,0 +1,17 @@
+---
+- name: "Test basic https endpoint"
+  uri:
+    url: "https://127.0.0.1:{{ splunk_svc_port }}/services/properties"
+    method: GET
+    user: "{{ splunk_admin_user }}"
+    password: "{{ splunk_password }}"
+    validate_certs: false
+    status_code: 200,404
+    timeout: 10
+  register: ssl_enabled
+  ignore_errors: true
+
+# If the https call failed, we will revert to http and continue REST with normal error handling
+- name: "Set url prefix for future REST calls"
+  set_fact:
+    cert_prefix: "{% if ssl_enabled.status == 200 %}https{% else %}http{% endif %}"

Splunk_Install/common/tasks/set_conf_stanza.yml

@@ -0,0 +1,33 @@
+---
+- name: Create {{ conf_directory }} directory if not existing
+  file:
+    path: "{{ conf_directory }}"
+    state: directory
+  when: conf_directory is defined
+  become: yes
+  become_user: "{{ splunk_user }}"
+
+- name: Create {{ conf_file }} if not existing
+  copy:
+    dest: "{{ conf_directory }}/{{ conf_file }}"
+    mode: u=rw,g=,o=
+    owner: "{{ splunk_user }}"
+    group: "{{ splunk_group }}"
+    content: ""
+    force: no
+  become: yes
+  become_user: "{{ privileged_user }}"
+
+- name: "Set options in {{ stanza_name }}"
+  ini_file:
+    path: "{{ conf_directory }}/{{ conf_file }}"
+    section: "{{ stanza_name }}"
+    option: "{{ stanza_setting.key }}"
+    value: "{{ stanza_setting.value }}"
+    allow_no_value: True
+    state: present
+  with_dict: "{{ conf_stanzas }}"
+  loop_control:
+    loop_var: stanza_setting
+  become: yes
+  become_user: "{{ splunk_user }}"

Splunk_Install/common/tasks/wait_for_splunk_instance.yml

@@ -0,0 +1,20 @@
+---
+- name: Check Splunk instance is running
+  uri:
+    url: "{{ cert_prefix }}://{{ inventory_hostname }}:{{ splunk_svc_port }}/services/server/info?output_mode=json"
+    method: GET
+    user: "{{ splunk_admin_user }}"
+    password: "{{ splunk_password }}"
+    validate_certs: false
+  register: task_response
+  until:
+    - task_response.status == 200
+    - lookup('pipe', 'date +"%s"')|int - task_response.json.entry[0].content.startup_time > 10
+  retries: "{{ retry_num }}"
+  delay: 3
+  ignore_errors: true
+  no_log: "{{ hide_password }}"
+
+- name: Print response
+  debug:
+    var: task_response

Splunk_Install/common/templates/app.j2

@@ -0,0 +1,11 @@
+[launcher]
+author =  {{ author }} via Ansible (OBS)
+description = {{ app_desc }}
+version = {{ ansible_script_version }}
+
+[package]
+id = {{ app_name }}
+
+
+[ui]
+is_visible = false

Splunk_Install/common/templates/cluster_master_server_conf.j2

@@ -0,0 +1,15 @@
+
+[clustering]
+available_sites = {{ splunk_all_sites }}
+cluster_label = {{ splunk_idxcluster_label }}
+mode = master
+multisite = {{ splunk_multisite }}
+replication_factor = {{ splunk_replication_factor }}
+search_factor = {{ splunk_search_factor }}
+site_replication_factor = origin:{{ splunk_multisite_replication_factor_origin }}, total:{{ splunk_multisite_replication_factor_total }}
+site_search_factor = origin:{{ splunk_multisite_search_factor_origin }}, total:{{ splunk_multisite_search_factor_total }}
+summary_replication = true
+
+[general]
+site = {{ splunk_site }}
+

Splunk_Install/common/templates/deployer.j2

@@ -0,0 +1,2 @@
+[shclustering]
+shcluster_label = {{ splunk_shcluster_label }}

Splunk_Install/common/templates/deploymentclient.j2

@@ -0,0 +1,10 @@
+[deployment-client]
+{% if splunk_enableSSL %}
+  sslVersions = tls1.2
+  sslVerifyServerCert = true
+  sslCommonNameToCheck =  {% for host in groups.splunk_deployment_server %} {{ host }}, {% endfor %} 
+{% endif %}
+
+[target-broker:deploymentServer]
+# Change the targetUri
+targetUri = {{ groups.splunk_deployment_server[0] }}:{{ splunk_svc_port }}

Splunk_Install/common/templates/dist_search.j2

@@ -0,0 +1,30 @@
+[distributedSearch]
+servers = {% if sh_list is not none %}  {% for host in sh_list %} https://{{ host }}:{{ splunk_svc_port }}, {% endfor %} {%endif %}{% if lm_list is not none %} ,{% for host in lm_list %} https://{{ host }}:{{ splunk_svc_port }}, {% endfor %}{%endif %}{% if cm_list is not none %} ,{% for host in cm_list %} https://{{ host }}:{{ splunk_svc_port }}, {% endfor %}{%endif %}{% if ds_list is not none %} ,{% for host in ds_list %} https://{{ host }}:{{ splunk_svc_port }}, {% endfor %}{%endif %}{% if deployer_list is not none %} ,{% for host in deployer_list %} https://{{ host }}:{{ splunk_svc_port }}, {% endfor %}{%endif %}
+
+[distributedSearch:dmc_group_cluster_master]
+servers={% if cm_list is not none %}  {% for host in cm_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %} {% else %} localhost:localhost {%endif %}
+
+[distributedSearch:dmc_group_deployment_server]
+servers={% if ds_list is not none %} {% for host in ds_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}
+
+[distributedSearch:dmc_group_indexer]
+default = true
+servers={% if indexer_list is not none %} {% for host in indexer_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %} {% else %} localhost:localhost {%endif %}
+
+[distributedSearch:dmc_group_kv_store]
+servers={% if sh_list is not none %} {% for host in sh_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}
+
+[distributedSearch:dmc_group_license_master]
+servers={% if lm_list is not none %} {% for host in lm_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}
+
+[distributedSearch:dmc_group_search_head]
+servers={% if cm_list is not none %}{% for host in cm_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}{% if sh_list is not none %},{% for host in sh_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %} {%endif %}
+
+[distributedSearch:dmc_group_shc_deployer]
+servers={% if deployer_list is not none %} {% for host in deployer_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}
+
+[distributedSearch:dmc_indexerclustergroup_{{ splunk_idxcluster_label }}]
+servers={% if cm_list is not none %}{% for host in cm_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}{% if indexer_list is not none %},{% for host in indexer_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %} {%endif %}{% if sh_list is not none %},{% for host in sh_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %} {%endif %}
+
+[distributedSearch:dmc_searchheadclustergroup_{{ splunk_shcluster_label }}]
+servers={% if sh_list is not none %}{% for host in sh_list %} {{ host }}:{{ splunk_svc_port }}, {% endfor %}{% else %} localhost:localhost {%endif %}

Splunk_Install/common/templates/enable_receiver.j2

@@ -0,0 +1,12 @@
+{% if splunk_enableSSL %}
+[splunktcp-ssl:{{ splunk_s2s_port }}]
+connection_host = ip
+
+[SSL]
+serverCert = $SPLUNK_HOME/etc/auth/servercertificate.pem
+sslPassword = {{ splunk_ssl_cert_password }}
+requireClientCert = false
+sslVersions = tls1.2
+{% else %}
+[splunktcp://{{ splunk_s2s_port }}]
+{% endif %}

Splunk_Install/common/templates/forwarding_s2s_outputs_conf.j2

@@ -0,0 +1,19 @@
+# BASE SETTINGS
+
+[tcpout]
+# Change here to specify the indexer group 
+defaultGroup = all_{{ splunk_app_prefix }}_indexer
+forceTimebasedAutoLB = true
+maxQueueSize = 7MB
+useACK = true
+
+[tcpout:all_{{ splunk_app_prefix }}_indexer]
+{% if splunk_enableSSL %}
+clientCert = $SPLUNK_HOME/etc/auth/servercertificate.pem
+{% endif %}
+server = {% for host in indexer_list %}{{ host }}:{{ splunk_s2s_port }}, {% endfor %}
+{% if splunk_enableSSL %}
+sslCommonNameToCheck = {% for host in groups.all_splunk_instances %}{{ host }}, {% endfor %} 
+sslPassword = {{ splunk_ssl_cert_password }}
+sslVerifyServerCert = true
+{% endif %}

Splunk_Install/common/templates/forwarding_uf_outputs_conf.j2

@@ -0,0 +1,19 @@
+# BASE SETTINGS
+
+[tcpout]
+# Change here to specify the indexer group 
+defaultGroup = all_{{ splunk_app_prefix }}_indexer
+forceTimebasedAutoLB = true
+maxQueueSize = 7MB
+useACK = true
+
+[tcpout:all_{{ splunk_app_prefix }}_indexer]
+{% if splunk_enableSSL %}
+clientCert = $SPLUNK_HOME/etc/apps/{{ app_name }}/{{ custom_cert_path }}
+{% endif %}
+server = {% for host in indexer_list %}{{ host }}:{{ splunk_s2s_port }}, {% endfor %}
+{% if splunk_enableSSL %}
+sslCommonNameToCheck = {% for host in indexer_list %}{{ host }}, {% endfor %} 
+sslPassword = {{ splunk_ssl_cert_password }}
+sslVerifyServerCert = true
+{% endif %}

Splunk_Install/common/templates/idx_indexes_base.j2

@@ -0,0 +1,5 @@
+# performance optimisation
+[default]
+journalCompression = zstd
+tsidxWritingLevel = 4
+

Splunk_Install/common/templates/idx_kvstore_base.j2

@@ -0,0 +1,5 @@
+# kvstore not needed on indexers, let's disable it
+# even when distributing collection via bundle, it won't be used on indexer as this use lookups in the background
+
+[kvstore]
+disabled = true

Splunk_Install/common/templates/idx_web_base.j2

@@ -0,0 +1,9 @@
+# In larger environments, where there are more than, say, three indexers,
+# it's common to disable the Splunk UI. This helps avoid configuration issues
+# caused by logging in to the UI to do something directly via the manager,
+# as well as saving some system resources.
+
+[settings]
+startwebserver = 0
+# avoid timeout when indexer loaded 
+splunkdConnectionTimeout = 120

Splunk_Install/common/templates/indexer_cluster.j2

@@ -0,0 +1,10 @@
+
+# clustering parameters are local and moved in a cluster specific package
+# this can be a site specific if only one site per cluster
+
+[clustering]
+master_uri = https://{{ groups.splunk_cluster_master[0] }}:{{ splunk_svc_port }}
+mode = slave
+
+[replication_port://{{ splunk_replication_port }}]
+disabled = false

Splunk_Install/common/templates/indexer_multisite.j2

@@ -0,0 +1,15 @@
+# This app is expected to be layered on top of org_cluster_indexer_base;
+# the settings there establish the general relationship with the master and
+# set up clustered indexing behavior. This is another layer to provide the
+# site number of the host, and to indicate that the clustering should be of
+# the multi-site variety.
+
+# *** This app cannot be shipped via the master-apps mechanism; it would 
+#     make all sites the same. Place it in etc/apps on the affected indexer. ***
+
+[general]
+site = {{ splunk_site }}
+
+[clustering]
+multisite = {{ splunk_multisite }}
+

Splunk_Install/common/templates/license_server_conf.j2

@@ -0,0 +1,10 @@
+# In distributed environments, it's common to have a lone search head acting
+# as the license master as well. In this configuration, providing the URI
+# of the license master is easiest within the indexer_base configuration.
+# In the event that there are multiple search heads, you could instead use
+# the org_all_license app, shipped to the non-license SH, as well as all of
+# the indexers. In either event, the settings are the same.
+
+[license]
+master_uri = https://{{ groups.splunk_license_master[0] }}:{{ splunk_svc_port }}
+