I currently have Splunk 5.0.1 and am unable to get the deployment server to push apps. The server class has been defined and the folder containing the apps created, however for some reason it just will not upload the packages. Right now I am trying to use the Exchange TA's for testing.
I have restarted the Splunk server and the Splunk universal forwarder on the other end as well with no luck.
The serverclass.conf contains:
[global]
targetRepositoryLocation = C:\Program Files\SplunkUniversalForwarder\etc\apps\
[serverClass:Global SEP Servers]
filterType = whitelist
repositoryLocation = C:\Splunk\deployment-apps\Corp_SEP\
whitelist.0 = -SEP-
The deploymentclient.conf file contains just an entry for [target-broker:deploymentServer]
I am sure I am missing something simply, but any help would be greatly appreciated.
You will need to define what apps should be shipped at the end of your serverClass for sure.
[serverClass:Global SEP Servers]
whitelist.0 = ServerX
[serverClass:Global SEP Servers:app:APP1]
[serverClass:Global SEP Servers:app:APP2]
[serverClass:Global SEP Servers:app:APP3]
[serverClass:Global SEP Servers:app:APP4]
[serverClass:Global SEP Servers:app:APP5]
You can remove the targetRepositoryLocation since that is the default but if you want to keep it there it should look like C:\Program Files\SplunkUniversalForwarder\etc\apps\
(I dont identify it because I have a large ammount of unix hosts as well)
Splunk reload deploy-server and check if your apps ship
You will need to define what apps should be shipped at the end of your serverClass for sure.
[serverClass:Global SEP Servers]
whitelist.0 = ServerX
[serverClass:Global SEP Servers:app:APP1]
[serverClass:Global SEP Servers:app:APP2]
[serverClass:Global SEP Servers:app:APP3]
[serverClass:Global SEP Servers:app:APP4]
[serverClass:Global SEP Servers:app:APP5]
You can remove the targetRepositoryLocation since that is the default but if you want to keep it there it should look like C:\Program Files\SplunkUniversalForwarder\etc\apps\
(I dont identify it because I have a large ammount of unix hosts as well)
Splunk reload deploy-server and check if your apps ship
Thanks, worked like a charm. I must have missed that in the instructions.
It's pull, not push, and you haven't told the members of the SEP servers to pull anything. The repositoryLocation
setting is for the parent directory of the apps, not an individual app to send. You probably want C:\Splunk\deployment-apps
. (But typically, this folder in a default install lives in an "etc" subfolder of the Splunk home directory.)
Next, you need a line that says "for this class, send this app":
[serverClass:Global SEP Servers:app:Corp_SEP]
Then run splunk reload deploy-server, and watch the clients.
Also, if this app contains inputs.conf or outputs.conf definitions, you'll need to restart the Splunk service on the forwarder after the app arrives. You can do this with the restartSplunkd
flag in serverclass.conf.
Sorry I should clarify, the base directory for apps on this Server Class is C:\Splunk\deployment-apps\Corp_SEP\. I have placed folders under that that contain the actual apps to be deployed.