Deployment Architecture

How to edit serverclass.conf by CLI?

Log_wrangler
Builder

Normally I would use the deployment server GUI under setting > Distributed Environment > Forwarder management to create a server class, add clients, and then add apps (for inputs and outputs) to be deployed.

But for some reason the GUI is read only, I believe it is due to "flterType = blacklist " in many serverclass stanzas, but I am not sure how to edit the stanza so the GUI will work again.

So going manual edit route via CLI, I am not making sense of the syntax for directly editing the serverclass.conf.

Could any one walk me thru how to edit the server class?

Thank you

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

A better, more controlled approach would be to edit serverclass.conf directly.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Updateconfigurations#When_editing_serverc...

You can looks for which serverclass.conf is storing your serverclass configuration by using btool command on the deployment server:

./splunk btool serverclass list --debug | grep "\["

View solution in original post

0 Karma

somesoni2
Revered Legend

A better, more controlled approach would be to edit serverclass.conf directly.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Updateconfigurations#When_editing_serverc...

You can looks for which serverclass.conf is storing your serverclass configuration by using btool command on the deployment server:

./splunk btool serverclass list --debug | grep "\["
0 Karma

Log_wrangler
Builder

Thank you for the reply. I will look at the post and check the tool.

But the part I am not clear on is writing the stanzas, so here is my attempt

in /opt/splunk/etc/system/local
edit serverclass.conf to create class and add clients

#This server class is for my AWS instances
[serverClass:AWS_instances]
whitelist.0 = ip-192-168-1-* (for example all the instance names start with ip-192-168-1-[x].ec2.internal)

So now I need to create some inputs and outputs for the class (for example aws_inputs, aws_outputs)
in /opt/splunk/etc/deployment-apps/

this is where I get stuck...

I see previously created deployment-apps (folders) in the directory,
when I cd into them I see default and local, local has only app.conf with one comment #Autogenerated file
but default has an outputs.conf with the correct information.

The inputs will be monitoring a log source, which I could enter on each end point but would rather deploy an app.

Please advise how I create the two apps by CLI? Or possibly I am missing the CLI instructions.

Do I create a couple more stanzas in serverclass.conf? will that auto-create the deployment apps?

#This is for aws instances inputs
[serverClass:AWS_instances:app:aws_inputs]
stateOnClient = enabled
restartSplunkd = true

#This is for aws instances outputs
[serverClass:AWS_instances:app:aws_outputs]
stateOnClient = enabled
restartSplunkd = true

Thank you

0 Karma

somesoni2
Revered Legend

You create the app on /opt/splunk/etc/deployment-apps/YourAppName (which will include a default OR local directory with inputs.conf with your monitoring statements). I'll recommend you create a aws_props_transforms app which will have your sourcetype definitions (line breaking , timestamp parsing etc) as well. This app will go to your indexers Or heavy forwarders. Now to assign your aws servers (deployment clients) those apps, you'll add the app assignment stanza within your AWS_instances serverclass, like this

 [serverClass:AWS_instances]
 whitelist.0 = ip-192-168-1-*
restartSplunkd = true
[serverClass:AWS_instances:app:aws_outputs]
[serverClass:AWS_instances:app:aws_outputs]

Other attributes (stateOnClient) are using default values, so I'm ignoring it. Reload or restart your deployment server instance for these changes to take effect (reload happens automatically when you make these changes by UI).

0 Karma

Log_wrangler
Builder

Thank you very much for the outstanding explanation.

Please convert to an answer so I can accept.

0 Karma

somesoni2
Revered Legend

Here you go.

0 Karma

somesoni2
Revered Legend

You can see this for what all stuff you add to your serverclass.conf

http://docs.splunk.com/Documentation/Splunk/7.0.3/Updating/Useserverclass.conf

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...