Hi. After getting tired of managing 20 individual lightforwarders and one indexer, I've decided to make use of the Deployment Server feature of Splunk.
I have a question, however. I want to be able to push out an inputs.conf file to all forwarders as it contains fschange configuration information. However, the inputs.conf file on the lightforwarders should also contain the following stanza:
[default] host = foo
We do need to specify the hostname in there (we prefer to override using short names in Splunk, not the FQDN).
Is there a way to work with this within the Deployment server? I don't want to have to create a serverclass for every single host; that would defeat the purpose, right?
Any suggestions would be appreciated!
Are you intending to have the fschange configuration in etc/system/local/inputs.conf? I've always seen the inputs.conf get created with the shortname already. Put everything else in a different file.
No, there's no way to push out individual files, or to define a
variable in inputs.conf that will be server specific.
The only real solution here is to update the
$SPLUNK_HOME/etc/system/local/inputs.conf at install time. That gets created with the
localhost as the default host name initially, so if you add a step to your install process/script you should be all squared away.
I'll also suggest the idea of variables to the Dev team and see if there's any way we can add this capability in a future release
While this solution works, it may not be ideal.
Every Splunk environment is different; I help run a centralized Splunk service for over 100 local I.T. shops within our organization. Outside of the servers that Splunk runs on, I have no access to those servers so I have to send instructions to one of 100+ administrators. Thus we try to do EVERYTHING with the deployment server and have no local configuration files (we go so far as pushing an app with a deploymentclient.conf so once they've checked in they can just have the client name string in $SPLUNK_HOME/etc/system/local/deploymentclient.conf This let's us move our deployment server if we ever need.
So in our environment we would create a new app and then manually edit the
serverclass.conf and use whitelist to control which hosts it went to. The key is our deployment client names are fwd__ so its easy for us to limit who gets what (even when we have host name collisions between different groups).