- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- edit server.conf on multiple servers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
edit server.conf on multiple servers
I want to edit server.conf for around 600 servers, is there anyway we can edit them all at a time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of All, you have got large environment as per the information of 600 servers. You should NEVER use $SPLUNK_HOME/etc/system/ location for these kind of activities. Always modularise your apps/configs
Planning your environment is the MOST important thing to administer your splunk environment.
So the best case for you is
1. Create an app as per your org's naming standard (eg MY_PROD_server_configs)
2. Create "local" directory within it and then "server.conf" within it . Finally it would look like MY_PROD_server_configs/local/server.conf
3. Ensure you have ONLY the "required" stanza in your apps server.conf and push it via your deployment server which manages your Universal forwarders/agents
4. It is advised to have a seprate serverclass app (eg MY_PROD_managed_servers_serverclass/local/serverclass.conf) to modularise what you want to push and which servers you want to push to etc.
Once pushed, you can control everything centrally via deployment server and future updates etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had a vulnerability scan and we got some vulnerabilities and we would like to clear them, in order to clear that we would like add couple of stanzas to the server.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are these servers, if those are forwarders maybe with deployment server or by making a ansible playbook to change what ever you're trying to change.
If it is the same thing you're trying to change and the servers are forwarders talking to deployment server then it is easy to do it by deployment server. Or else ansible playbook will be the best way
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are regular windows servers, they are not connecting to deployment server but the problem is they if we push something on deployment server they will get changed in apps/local but i want to change in system/local/server.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the rationale behind wanting to make the change in system/local and not via a deployment app?
The deployment server is the supported (and easy) way to push changes to large numbers of forwarders - making changes to system/local goes against best practices.
What is your use case?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We did it using deployment server. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then ansible-playbook would be a good idea, if the change is static among all the servers
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
