We are trying to deploy limits.conf to all of our endpoints to here:
C:\Program Files\SplunkUniversalForwarder\etc\apps\local
The problem is, I don't see an app for SplunkUniversalForwarder on our Deployment Server... It's not in /etc/apps or /etc/deployment-apps
Do I need to create a "SplunkUniversalForwarder" app in the deployment-apps directory on the Deployment Server where our other deployed apps reside, and just create the local folder with the inputs.conf I want to use in there and deploy it like any other app?
I would have thought if the SplunkUniversalForwarder app is on the local machines, there would already be an app for it somewher eon the deployment server...
The best way to handle this is
1. Create a specific app eg: MY_LIMITS_APP
and create local/limits.conf
within this app
2. put the stanza and value you need in MY_LIMITS_APP/local/limits.conf
3. Update your serverclass to push MY_LIMITS_APP
to your Universal Forwarders
Everything should be good and you can control all your limits via this app afterwards and is modular
PS: In case if something is not working, run a btool in your UF to see if the limits.conf stanza from your app is being picked up
$SPLUNK_HOME/bin/splunk cmd btool limits list --debug
Just so I understand, and to clarify - the limits.conf file I want to deploy is supposed to (according to Splunk Support) go into this directory on all of our endpoints:
C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf
If I create a new app with the limits.conf that I want to use, won't it only apply to data going through the forwarder for that app I create?
I was under the impression to create this:
C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf
I would have to have an app on the deployment server called SplunkUniversalForwarder to get it to deploy to that location.
But it sounds like you are saying the SplunkUniversalForwarder will use the limits.conf value from any app that is on the endpoint that has one in it's local folder?
It is much simpler than you think. Just create your own app, put the limits.conf in your app and in serverclass, put the wildcard whitelist in deployment-server for of your APP to all UF clients and should go perfectly. and You then have full control and naming standards for your organisation
-- But it sounds like you are saying the SplunkUniversalForwarder will use the limits.conf
value from any app that is on the endpoint that has one in its local folder?
Absolutely - and you can't control from the deployment server the C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf
file and therefore you should follow the solution prescribed by @koshyk ; -)