https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23278#M3662 <P>Perhaps I'm missing out on something but I haven't found details in the Splunk documentation about how we can setup generic universal forwarders that know "magically" on what deployment client they're running on.</P> <P>We have a mixed environment with different breed of application servers and we'd want to centrally distribute a universal forwarder configuration that upon deployment (or later) would be intelligent enough to send log data with the correct syntax to the indexer. </P> <P>All I've found so far is examples where parameters are hard coded but nothing dynamic.</P> <P>How can we achieve this, is there a way to parametrize the forwarders during deployment (i.e. Forwarder_X will run on a Tomcat host, Forwarder_Y will run on an Orion Server host)?</P> <P>One idea I haven't tried is with defining different server classes. After a successful deployment of forwarders one changes the inputs.conf settings on the deployment server centrally. Then a reload of server class:</P> <PRE><CODE>./splunk reload deploy-server -class [server-class-name] </CODE></PRE> <P>...would trigger an update of all forwarders and with that, we'd end up with client specific forwarders.</P> Mon, 28 Sep 2020 10:09:31 GMT greg0ry 2020-09-28T10:09:31Z https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23278#M3662 <P>Perhaps I'm missing out on something but I haven't found details in the Splunk documentation about how we can setup generic universal forwarders that know "magically" on what deployment client they're running on.</P> <P>We have a mixed environment with different breed of application servers and we'd want to centrally distribute a universal forwarder configuration that upon deployment (or later) would be intelligent enough to send log data with the correct syntax to the indexer. </P> <P>All I've found so far is examples where parameters are hard coded but nothing dynamic.</P> <P>How can we achieve this, is there a way to parametrize the forwarders during deployment (i.e. Forwarder_X will run on a Tomcat host, Forwarder_Y will run on an Orion Server host)?</P> <P>One idea I haven't tried is with defining different server classes. After a successful deployment of forwarders one changes the inputs.conf settings on the deployment server centrally. Then a reload of server class:</P> <PRE><CODE>./splunk reload deploy-server -class [server-class-name] </CODE></PRE> <P>...would trigger an update of all forwarders and with that, we'd end up with client specific forwarders.</P> Mon, 28 Sep 2020 10:09:31 GMT https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23278#M3662 greg0ry 2020-09-28T10:09:31Z https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23279#M3663 <P>You're headed in the right direction, server classes configured so that Forwarder_X gets a Forwarder_X and and Forwarder_Y gets a forwarder_Y app is the solution. This is the normative method for accomplishing this type of task. </P> Mon, 28 Sep 2020 10:09:39 GMT https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23279#M3663 jbsplunk 2020-09-28T10:09:39Z https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23280#M3664 <P>Well, you should NOT change the DS's own inputs.conf, but rather create a few applications - each containing an inputs.conf file.</P> <P>On the DS, create an 'app' under $SPLUNK_HOME/etc/deployment-apps/ for each type of server.<BR /> Such an app could contain an inputs.conf file specifying <CODE>[monitor]</CODE> stanzas relevant for that type of server. </P> <P>Then you create/edit the serverclass.conf (typically under $SPLUNK_HOME/etc/system/local/) on the DS, defining which servers should have what app.</P> <P>Then you make sure that the forwarders know whom to contact for configuration information, i.e. run <CODE>./splunk set deploy-poll &lt;ip:port&gt;</CODE> on each forwarder. (replace ip:port with your DS ip and port (8089 by default)).</P> <P>Then you can run <CODE>./splunk reload deploy-server</CODE> on your DS.</P> <P>If everything went well, your forwarders should contact the DS, download the new app, and start sending the logs.</P> <P>For more info, see</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutdeploymentserver">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutdeploymentserver</A><BR /> and the pages following.</P> <P>hope this helps,</P> <P>Kristian</P> Tue, 29 Nov 2011 12:26:27 GMT https://community.splunk.com/t5/Getting-Data-In/Parametrized-universal-forwarders-in-a-distributed-env/m-p/23280#M3664 kristian_kolb 2011-11-29T12:26:27Z