Deployment Architecture

Deployment of Splunk TA for windows via deployment server

Explorer

Hi ,

We deployed Splunk universal forwarder through sccm which had the sendtoindexer app pointing to indexer and deployment server set. On deploying it we found out that there is a inputs.conf getting created in local folder with only the hostname.
Using a batch file we appended the inputs.conf host data form system/local to Splunk-TA-Windows/local/inputs.conf and deleted the inputs.conf and restarted splunkd. All worked fine.
Now we have the Splunk-TA-Winodws deployed through deployment servrer, when the client phones home it removes the hostname as there and keeps the conf file present in the deployment app?
How can i add the host details in splunk without getting it override ?
I have 100 servers in all and want the hostname of each present in the inputs.conf of the TA ?

0 Karma

Splunk Employee
Splunk Employee

Hey himapate,

Upon installation of Splunk, an inputs.conf file will get created to give a host name in the default stanza. This is so the forwarder, if host configuration is not set at an app level, can tell the indexers who they are. Further reading for file precedence might be helpful here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

What I'd suggest you do here is move away from changing configuration files using batch as, if SCCM allows it, there's an easier way to do a packaged install using a few command line switches. Take a look here: http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/InstallaWindowsuniversalforwarderfro...

So, you'd probably want to instruct SCCM to install splunk in quiet mode, agree to the license, and handshake with your deployment server, like so:

DEPLOYMENT_SERVER="<host:port>" AGREETOLICENSE=yes /quiet

Note: You may not need to add the /quiet switch as I think SCCM automatically applies /q to all packages. Give it a try.

Then, when your forwarder connects to the Deployment Server, you can create server classes to sent the forwarder the sendtoindexer app, and the SplunkTAWindows app.

I hope this helps

0 Karma