Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Deploy limits.conf for Splunk Universal Forwarder?

jcleary47
Path Finder
‎05-01-2019 01:31 PM

We are trying to deploy limits.conf to all of our endpoints to here:

C:\Program Files\SplunkUniversalForwarder\etc\apps\local

The problem is, I don't see an app for SplunkUniversalForwarder on our Deployment Server... It's not in /etc/apps or /etc/deployment-apps

Do I need to create a "SplunkUniversalForwarder" app in the deployment-apps directory on the Deployment Server where our other deployed apps reside, and just create the local folder with the inputs.conf I want to use in there and deploy it like any other app?

I would have thought if the SplunkUniversalForwarder app is on the local machines, there would already be an app for it somewher eon the deployment server...

Tags (1)
Reply

koshyk
Super Champion
‎05-01-2019 01:48 PM

The best way to handle this is
1. Create a specific app eg: MY_LIMITS_APP and create local/limits.conf within this app
2. put the stanza and value you need in MY_LIMITS_APP/local/limits.conf
3. Update your serverclass to push MY_LIMITS_APP to your Universal Forwarders

Everything should be good and you can control all your limits via this app afterwards and is modular

PS: In case if something is not working, run a btool in your UF to see if the limits.conf stanza from your app is being picked up
$SPLUNK_HOME/bin/splunk cmd btool limits list --debug

Reply

jcleary47
Path Finder
‎05-01-2019 01:56 PM

Just so I understand, and to clarify - the limits.conf file I want to deploy is supposed to (according to Splunk Support) go into this directory on all of our endpoints:

C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf

If I create a new app with the limits.conf that I want to use, won't it only apply to data going through the forwarder for that app I create?

I was under the impression to create this:
C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf

I would have to have an app on the deployment server called SplunkUniversalForwarder to get it to deploy to that location.

But it sounds like you are saying the SplunkUniversalForwarder will use the limits.conf value from any app that is on the endpoint that has one in it's local folder?

0 Karma
Reply

koshyk
Super Champion
‎05-02-2019 11:41 AM

It is much simpler than you think. Just create your own app, put the limits.conf in your app and in serverclass, put the wildcard whitelist in deployment-server for of your APP to all UF clients and should go perfectly. and You then have full control and naming standards for your organisation

0 Karma
Reply

ddrillic
Ultra Champion
‎05-01-2019 02:34 PM

-- But it sounds like you are saying the SplunkUniversalForwarder will use the limits.conf value from any app that is on the endpoint that has one in its local folder?

Absolutely - and you can't control from the deployment server the C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf file and therefore you should follow the solution prescribed by @koshyk ; -)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...