Splunk Dev

Deploy Different Inputs.conf to different Universal Forwarder Using Deployment server.

jadengoho
Builder

Is it possible to deploy different Inputs.conf to different Universal Forwarder?

Tags (1)
0 Karma

xpac
SplunkTrust
SplunkTrust

There is a lot to this topic and more than can be covered in a single answer here, so I'll just link you to the proper documentation.

Check out About deployment server and forwarder management - it's a good point to get started and get a high level overview and more details to dig into.

Hope that helps!

0 Karma

jadengoho
Builder

I just read the documentation
But here is the situation: I have 1(app), 20(UF)

In the app, there are inputs.conf that change according to UF,
meaning for every UF there is 1(app) but different inputs.conf in it.
i.e.
~UF_1 > Sample_App > inputs.conf (contain specific configuration for UF_1)
~UF_2> Sample_App > inputs.conf (contain specific configuration for UF_2)
~UF_3 > Sample_App > inputs.conf (contain specific configuration for UF_3)

0 Karma

xpac
SplunkTrust
SplunkTrust

Can you explain why the inputs.conf has to be different on every UF?
Basically - you can't dynamically change an app per UF, there is no templating or anything like this.
So if you actually need to have a different inputs.conf per UF, you need to clone the app 20 times and assign each copy to it's respective UF - therefore it would be good to see the reason why you want to do this. 🙂

0 Karma

jadengoho
Builder

That's the first idea came to my mind create 20apps,
The reason why I need the inputs.conf should differ is, there's a staza in the inputs.conf that get particularly that address

"destination = 192.168.1.1" - where "192.168.1.1" is the ip that will get the data

I am afraid that if i do it in a whole it would repeat the data to be forward.
"destination = 192.168.1.1,192.168.1.2" - i think this would repeat the data.

0 Karma

ddrillic
Ultra Champion

Interesting. Can you please show us the inputs.conf file?

0 Karma

jadengoho
Builder

Here is my input.conf

[snmp://(NAME)]
communitystring = public
destination = (IP_ADDRESS)
do_bulk_get = 0
do_get_subtree = 1
index = SNMP
ipv6 = 0
mib_names = (MIB_Names)
object_names = (OID_Names)
port = 161
snmp_mode = attributes
snmp_version = 2C
sourcetype = (Sourcetype_Name)
split_bulk_output = 0
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

at first, I set a whole
"destination = 192.168.1.1,192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.5,192.168.1.6....." - but if I put it on every forwarder I think the data will get duplicated

so I am trying to do it individually using the deployment server

~UF_1 > Sample_App > inputs.conf ("destination = 192.168.1.1")
~UF_2> Sample_App > inputs.conf ("destination = 192.168.1.2")
~UF_3 > Sample_App > inputs.conf "destination = 192.168.1.3")
0 Karma

xpac
SplunkTrust
SplunkTrust

Ah, that you're using the SNMP input would habe been a valuable information at the start 😉
Yeah, if you deploy that app with on all UFs with a Config for all devices, you will get duplicates, true.

Why however do you want to do one UF for one device? I would just take one UF that does this task and have him do all the SNMP work, and not spread it over 20 single instances, because that will most likely be awful too debug (and definitely awful to manage via DS).

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...