Deployment Architecture
Highlighted

Can I still use Forwarder Management with the Splunk Light license?

Explorer

I am currently running A Splunk Enterprise Trial License on bare metal and I have set up the Universal Forwarder on 23 other CentOS 7 VMs. I used the Forwarder Management feature to push out the SplunkTANix add-on to these devices. Now, I am considering using the Splunk Light license going forward, but do not want to lose this ability to manage the forwarders from the main Splunk Web Console.

Is this ability still available with Splunk Light? I did determine that it is not available with Splunk Free.

0 Karma
Highlighted

Re: Can I still use Forwarder Management with the Splunk Light license?

Splunk Employee
Splunk Employee

Yes, Kiles. Forwarder Management functionality is available starting with Splunk Light version 6.4
Do give it a try and let us know.

View solution in original post

Highlighted

Re: Can I still use Forwarder Management with the Splunk Light license?

Explorer

Thanks for the quick reply. I do see that Splunk Light is a separate download, though (https://www.splunk.com/en_us/download/splunk-light.html#). I might assume that I need to wipe out the Enterprise version, install the Light version, and then reconfigure the forwarders and apps to test that.

0 Karma
Highlighted

Re: Can I still use Forwarder Management with the Splunk Light license?

Explorer

After downloading splunklight-6.4.0-f2c836328108-linux-2.6-x8664.rpm to my local Yum repository and running createrepo to update my local repository I do not see splunklight. The command rpm -qpil splunklight-6.4.0-f2c836328108-linux-2.6-x8664.rpm displays the following...
Name : splunk
Version : 6.4.0
Release : f2c836328108
Architecture: x86_64
Install Date: (not installed)
Group : Applications/Internet
Size : 443873298
License : Commercial
Signature : DSA/SHA1, Fri 25 Mar 2016 11:50:36 PM EDT, Key ID 2960b1fd653fb112
Source RPM : splunk-6.4.0-f2c836328108.src.rpm
Build Date : Fri 25 Mar 2016 11:49:26 PM EDT
Build Host : re-centos6x64-14.sv.splunk.com
Relocations : /opt
Vendor : Splunk Inc. info@splunk.com
Summary : Splunk
Description :
The platform for machine data.

If I do the same for the original splunk (enterprise) RPM I see ...
Name : splunk
Version : 6.4.0
Release : f2c836328108
Architecture: x86_64
Install Date: (not installed)
Group : Applications/Internet
Size : 442058106
License : Commercial
Signature : DSA/SHA1, Fri 25 Mar 2016 11:53:49 PM EDT, Key ID 2960b1fd653fb112
Source RPM : splunk-6.4.0-f2c836328108.src.rpm
Build Date : Fri 25 Mar 2016 11:52:39 PM EDT
Build Host : re-centos6x64-14.sv.splunk.com
Relocations : /opt
Vendor : Splunk Inc. info@splunk.com
Summary : Splunk
Description :
The platform for machine data.

I cannot see them (yum list splunk*) as separate RPM's. This leads me to believe that the splunklight RPM is the same as the splunk (enterprise) RPM. If this is the case should I not be able to simply change the license pool on the existing installed splunk (enterprise) or did the wrong source get into the splunklight RPM?

0 Karma
Highlighted

Re: Can I still use Forwarder Management with the Splunk Light license?

Explorer

I removed splunk and splunklight from my local repo but left the splunkforwarder (and rebuilt my local repository). I stopped and removed splunk enterprise and installed splunk light manually using the local RPM file I downloaded and then started splunk up again. I did the usual first steps and logged into the web console. All good!

I then found the Forwarder Management menu item (menu vastly different in light) and saw immediately that all 23 clients had phoned home! Yippee! Unfortunately, no apps or server classes but that was expected. I created my three main server classes and added the clients by IP address. Works! I see that the Add Apps button is greyed out. Probably because I have not setup and deployed any apps in light yet. That will be my next step.

So the answer is that yes indeed - forwarder management is available in Splunk Light 6.4.0. Now I read that the Splunk App for Unix is preinstalled and also see that the Splunk Add-on for Unix and Linux is also installed but not enabled. That Add-on is also an older version (5.2.0) so I will upgrade it to 5.2.3.

The next step will be to configure the add-on, copy it to the deployment directory, and see if I can update the add-on on all of the clients.

Thanks for the correct answer.