Using fowarder manager on my deployment server I created a good setup of apps and clients class. Everything worked great. I decided to copy the serverclass.conf to a new install of splunk in another data center. When I look at the actual serverclass.conf file how ever its missing various classes I see clear as day in the GUI. Not all, but a few.
I restarted the deployment server and used the fowarder manager to add some random test classes. I am seeing them appear in the serverclass.conf file. But I am still missing various settings.
Any idea on what is happening here? Is there another file that forwarder management pulls its configs from?
I've never seen this before until just today. I'm on 6.5.2. I've always looked at ~/etc/system/local/serverclass.conf to see what's configured, and how, and always thought of it as authoritative. But today, I was trying to remember where one forwarder was picking up duo logs and when I looked at serverclass.conf all I saw were the entry for system logs (for that one system). Yet when I looked in Forwarder Management I saw the serverClass I had remembered being associated with that system. I googled and found this Splunk answer.
So, yes, I found the missing stanzas in the search app's local as well after I read this. But I've always gone from Search to Settings to Forwarder management and always seen my updates in ~/etc/system/local/serverclass.conf. I'm not understanding why suddenly this one serverClass and its associated Deployment app are being written to the search app's local directory. That feels buggy to me.
So, the next question is (if this is expected behavior), what can I do to make sure that everything gets written to ~/etc/system/local/serverclass.conf ?
Also, this documentation seems to state that serverclass.conf belongs in ~/etc/system/local: https://docs.splunk.com/Documentation/Splunk/latest/Updating/Useserverclass.conf
I opened a case as we have the same trouble (serverclass.conf magically created in search/local)