Deployment Architecture

How to deploy updates to inputs.conf, outputs.conf, and deploymentclient.conf files to the "C:\Program Files\Splunk\etc\system\local" directory?

thomas_forbes
Communicator

I have created an app (which includes updates for the inputs.conf, outputs.conf and deploymentclient.conf files), an associated Server class, and have successfully deployed the app to all clients I have listed in the Forwarder Management section. On the server-side, the app resides in the /opt/splunk/etc/deployment-apps directory. On the client side the apps are downloaded to the C:/Program Files/Splunk/etc/apps directory. In order for my forwarders to pass on the relevant information to my indexer, I need the .conf files contained in the app to be pushed out to the C:\Program Files\Splunk\etc\system\local directory. How can I make this happen?

Thank you,
Tom Forbes

0 Karma
1 Solution

somesoni2
Revered Legend

The files that you're trying to send to your clients are having global context (not app specific), hence, it doesn't have to be deployed on the etc/system/local path necessarily.
See the precedence of Splunk configuration files here http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Wheretofindtheconfigurationfiles#Precedence_...

Based on this, if there is no System local (/etc/system/local) entries with maching stanza name exists, your configuration files from app folders will just work fine.

View solution in original post

bmacias84
Champion

For deploying anything to $SPLUNK_HOME/etc/system/local I would recommend using a configuration management suite such as chef, puppet, or sccm. There is no way of managing $SPLUNK_HOME/etc/system/local through Splunk Deployment methods.

If configuration management software is not an option you can also use splunk remote cli to set the deployment client. For the remote cli to be available the default password must be change on every forwarder. Then you would also have to script it to run for all forwarders.

fredclown
Builder

Couldn't you theoretically deploy an app with a scripted input that would make changes to files in etc/system/local? Not saying this is the best method because if it fails you could brick the forwarder, but I would think it is theoretically possible if there are no other means possible.

0 Karma

thomas_forbes
Communicator

Thank you for your input. I was looking at SCCM, but wanted to get this to work in Splunk first. If I had not used precedence order as it relates to configuration files, I would have gone this route.

Thanks again.

0 Karma

somesoni2
Revered Legend

The files that you're trying to send to your clients are having global context (not app specific), hence, it doesn't have to be deployed on the etc/system/local path necessarily.
See the precedence of Splunk configuration files here http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Wheretofindtheconfigurationfiles#Precedence_...

Based on this, if there is no System local (/etc/system/local) entries with maching stanza name exists, your configuration files from app folders will just work fine.

thomas_forbes
Communicator

Thank you for the answer you provided. This solution worked perfectly for me. I was looking at precedence order, but did dig deep enough as I still had the problem with deploying my configuration updates to my clients.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...