Deployment Architecture

Deployment of Splunk TA for windows via deployment server

himapate
Explorer

Hi ,

We deployed Splunk universal forwarder through sccm which had the sendtoindexer app pointing to indexer and deployment server set. On deploying it we found out that there is a inputs.conf getting created in local folder with only the hostname.
Using a batch file we appended the inputs.conf host data form system/local to Splunk-TA-Windows/local/inputs.conf and deleted the inputs.conf and restarted splunkd. All worked fine.
Now we have the Splunk-TA-Winodws deployed through deployment servrer, when the client phones home it removes the hostname as there and keeps the conf file present in the deployment app?
How can i add the host details in splunk without getting it override ?
I have 100 servers in all and want the hostname of each present in the inputs.conf of the TA ?

0 Karma

ktugwell_splunk
Splunk Employee
Splunk Employee

Hey himapate,

Upon installation of Splunk, an inputs.conf file will get created to give a host name in the default stanza. This is so the forwarder, if host configuration is not set at an app level, can tell the indexers who they are. Further reading for file precedence might be helpful here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

What I'd suggest you do here is move away from changing configuration files using batch as, if SCCM allows it, there's an easier way to do a packaged install using a few command line switches. Take a look here: http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/InstallaWindowsuniversalforwarderfro...

So, you'd probably want to instruct SCCM to install splunk in quiet mode, agree to the license, and handshake with your deployment server, like so:

DEPLOYMENT_SERVER="<host:port>" AGREETOLICENSE=yes /quiet

Note: You may not need to add the /quiet switch as I think SCCM automatically applies /q to all packages. Give it a try.

Then, when your forwarder connects to the Deployment Server, you can create server classes to sent the forwarder the sendtoindexer app, and the Splunk_TA_Windows app.

I hope this helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...