Deployment Architecture

Deployment Server/Client Not Working

khhenderson
Path Finder

I am working in a development environment.
One indexer/search head (DeploymentServer)
One forwarder (DeploymentClient)
I am trying to get my forwarder to install the *nix app and update it's inputs.conf.

On DeploymentServer

/opt/splunk/etc/system/local/serverclass.conf

[global]
whitelist.0=*
restartSplunkd=True
stateOnClient=enabled

[serverClass:lcfapp-d:app:unix]
machineTypes=linux-x86_64
stateOnClient=enabled
restartSplunkd=True

[serverClass:lcfapp-d:app:lcfapp-d]
stateOnClient=enabled

On DeploymentServer
/opt/splunk/etc/deployment-apps/unix
/opt/splunk/etc/deployment-apps/lcfapp-d/local/inputs.conf
/opt/splunk/etc/deployment-apps/lcfapp-d/local/app.conf

On DeploymentClient

/opt/splunkfowarder/etc/system/local/deploymentclient.conf

[lcfapp-d]
[target-broker:deploymentServer]
targetUri= 192.168.XXX.XXX:8089 (the X's are numbers)

I have restarted splunk on both machines several times.
Am I missing something?

0 Karma
1 Solution

bosburn_splunk
Splunk Employee
Splunk Employee

Try this:

[global]
whitelist.0 = *

[serverClass:lcfapp-d:app:unix]
stateOnClient=enabled
restartSplunkd=True


[serverClass:lcfapp-d:app:lcfapp-d]
stateOnClient=enabled
restartSplunkd=true

[serverClass:lcfapp-d]
machineTypes=linux-x86_64
Bosley

View solution in original post

bosburn_splunk
Splunk Employee
Splunk Employee

Try this:

[global]
whitelist.0 = *

[serverClass:lcfapp-d:app:unix]
stateOnClient=enabled
restartSplunkd=True


[serverClass:lcfapp-d:app:lcfapp-d]
stateOnClient=enabled
restartSplunkd=true

[serverClass:lcfapp-d]
machineTypes=linux-x86_64
Bosley

Ayn
Legend

etc/system is not under the deployment server's control. The only thing the deployment server does is it pushes apps from its deployment-apps directory to deployment clients' apps directory (according to the rules set in serverclass.conf), so no other directories will have their contents modified.

0 Karma

khhenderson
Path Finder

I am half way there. The unix app was installed.
The /opt/splunkforwarder/etc/system/local/inputs.conf was not updated.
It did create a /opt/splunkforwarder/etc/apps/lcfapp-d/local/inputs.conf file.

0 Karma

Ayn
Legend

And just to clarify, the main issue here is that you hadn't defined the "lcfapp-d" serverclass. The stanzas containing the ":app:" parts are explicitly for defining which apps should go to which serverclasses, so those serverclasses need to be defined on their own for that to work.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...