I see in the documentation that, when activating a forwarder on the CLI, you pass "-server server:port -auth user:pass". How would I do this in a configuration file? I'm guessing server.conf in $SPLUNK_HOME/etc/apps/SplunkForwarder/local/server.conf but I'm not sure.
Using the configuration file it will be in
[tcpout] defaultGroup=my_indexers [tcpout:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9996
See the documentation at:
Ok, so puppet is different.
I would recommend to build a recipe to:
1- push or edit your configuration (outputs.conf)
2- restart the splunk forwarders to apply.
Another solution is to manage the configuration using the API, but it require auth too, like the CLI
Hmm, I misunderstood earlier. I want to make sure that the forwarder is not only enabled but also started:
splunk add forward-server
Is there a place to do this in the config files? I'm trying to control Splunk with Puppet and having the user:pass in a manifest is not ideal.
the -auth option on the CLI command line is used to avoid typing the admin/user password every time. (useful if you script the CLI configuration)
./splunk add monitor "/var/log/" -auth admin:changeme
When editing the config file you don't need it.