Solved: UF Push and Where to place Configuration Files?

SplunkDash · ‎06-09-2022

Hello,

I have data coming in near real-time to a host (Linux) where UF installed on it. It's a new push, objective is to send these events to SPLUNK indexer to view them from search head. Everything on place except I need to put new props.conf, inputs.conf, and transforms.conf files into that server. My question is where and how should I put those configuration files. Create a new folder local under etc/apps/ folder from CLI and copy all these 3 configuration files Or copy all these configuration files into ......etc/system/local folder.....or ....? Any recommendations will be highly appreciated. Thank you so much.

gcusello · ‎06-09-2022

Hi @SplunkDash,

if the Universal Forwarder is already installed and confgured to send data to Indexers and you have only to add a new input, you have to:

if apps are manually deployed to the Forwarder:

open an inputs.conf in anothe app,
add a stanza like this:

[monitor:///your_path/your_file.log]
index=your_index
sourcetype=your_sourcetype
disabled=0

restart Splunk on Forwarder.

if instead you deploy apps using the Deployment Server, you have to do the same thing on one inputs.conf that you can find in an app in $SPLUNK_HOME/etc/deployment/apps of the Deployment Server and the nforce app deploy on DS (splunk reload deploy-server)

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-09-2022

Hi @SplunkDash,

you should read the documentation or see the videos at

https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html

https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents

In few words, you have to:

on your target server:
- Install Universal Forwarder on the target server;
- configure it to send data to the indexers, as described in the above links, you can use a CLI command or outputs.conf file;
- configure your Universal Forwarder to ingest logs, as described in the above links, you can use a CLI command or inputs.conf file;
On your Indexer,
- you have to create an index to receive logs,
- enable logs receiving,
- configure sourcetype to correctly parse you logs, if the logs you have to index are standard, probably there's an Add-On (in apps.splunk.com) already developed to correctly parse those logs.

I was very quick in description, but in the above link and video you can find all the details to do all.

About where to put conf files, my hont is never use $SPLUNK_HOME/etc/system/local, but always create a dedicated App (on Search Head) or a dedicate Add-On (On indexers or Forwarders).

The way to deploy apps to Forwarders could depend on the number of targets, but anyway I hint to use a Deployment Server (https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Updateconfigurations).

If you have few tergets, probably the first time is longer than manually doing, but I hint to use DS to learn how to use it.

Ciao.

Giuseppe

SplunkDash · ‎06-09-2022

@gcusello

Thank you so much for your quick response, as always. Everything is setup and we are getting data for that host. This is a new push for a new set of near real time events coming in. I need to push those events so we can see those events from SH. How and where should I put my new configuration files to push those events?

gcusello · ‎06-09-2022

Hi @SplunkDash,

if the Universal Forwarder is already installed and confgured to send data to Indexers and you have only to add a new input, you have to:

if apps are manually deployed to the Forwarder:

open an inputs.conf in anothe app,
add a stanza like this:

[monitor:///your_path/your_file.log]
index=your_index
sourcetype=your_sourcetype
disabled=0

restart Splunk on Forwarder.

if instead you deploy apps using the Deployment Server, you have to do the same thing on one inputs.conf that you can find in an app in $SPLUNK_HOME/etc/deployment/apps of the Deployment Server and the nforce app deploy on DS (splunk reload deploy-server)

Ciao.

Giuseppe

SplunkDash · ‎06-09-2022

@gcusello

Awesome, thank you so much for you support as always..... working as expected.

SplunkDash · ‎06-09-2022

@gcusello

I have a quick question...can I also use props.conf file......follow the same rules...open one props.conf file within the same app folder and add

[my_sourcetype]

..................

.................

Thank you so much again.

gcusello · ‎06-09-2022

Hi @SplunkDash,

yes, you can, but what's the purpose of this props.conf?

If you have to add many configurations, probably it's a better choice to create a new dedicated App or TA.

Ciao.

Giuseppe

SplunkDash · ‎06-10-2022

@gcusello

Thank you so much as always. I need to creat a new props due to the complexity of data structure and use cases.
What is the best way to creat a new dedicated app from CLI…it’s a completely new push. Can I creat a new app folder from CLI and copy the content of any existing app there and modify its props and inputs configuration files? Thank you so much again.

gcusello · ‎06-10-2022

Hi @SplunkDash,

you can use the approach you like and you better know.

I usually create an app by CLI and manually create the folders and the files.

If you want to be more sure, you could use the App builder App on your Splunk Enterprise to check this TA bfore deploying it.

There's only one point of attention I'd highlight: if you have to deploy this app to Linux targets, don't create it on Windows because there could be permissions issues.

Ciao.

Giuseppe

SplunkDash · ‎06-09-2022

@gcusello

I think that might be the smartest approach. Let me try this, thank you so much, appreciate your support in these efforts as always.

aasabatini · ‎06-09-2022

Hi @SplunkDash

yes the best pratices are create a small app to put your configuration.

be careful props and trasforms doesn't works on the UF, if you want use that file you have to install HF.

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

SplunkDash · ‎06-09-2022

Hello,

Thank you so much for your quick reaponse....oh ok ..yes agree ..need to have HF....one question, how I would create new app from CLI.... go to the /etc/apps folder, then.........mkdir NewappName, and then under that mkdir local, and then copy all configuration files under local folder. Your recommendation will be highly appreciated. Thank you so much again.

aasabatini · ‎06-09-2022

Hi @SplunkDash

there are many ways to manage this

first one:

use a deployment server (reccomended)

go on the /opt/splunk/etc/deployment-apps/ and create your small app

mkdir -p small_app/local

and put your conf file on the local folder

go on the deployment server web interface and crate a class server to push your new app.

connect in ssh on the HF and create a small app (not reccomended)

quick tip

if you are not familiar with the cli you can use this app to manage conf by UI

https://splunkbase.splunk.com/app/4353/

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

SplunkDash · ‎06-09-2022

@aasabatini

Thank you so much again: let me try your this recommendation and get back to you.

use a deployment server (reccomended)

go on the /opt/splunk/etc/deployment-apps/ and create your small app

mkdir -p small_app/local

and put your conf file on the local folder

Thank you!

UF Push and Where to place Configuration Files?

configuration

Other

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!