Deployment Architecture

How to edit serverclass.conf by CLI?

Builder

Normally I would use the deployment server GUI under setting > Distributed Environment > Forwarder management to create a server class, add clients, and then add apps (for inputs and outputs) to be deployed.

But for some reason the GUI is read only, I believe it is due to "flterType = blacklist " in many serverclass stanzas, but I am not sure how to edit the stanza so the GUI will work again.

So going manual edit route via CLI, I am not making sense of the syntax for directly editing the serverclass.conf.

Could any one walk me thru how to edit the server class?

Thank you

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

A better, more controlled approach would be to edit serverclass.conf directly.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Updateconfigurations#When_editing_serverc...

You can looks for which serverclass.conf is storing your serverclass configuration by using btool command on the deployment server:

./splunk btool serverclass list --debug | grep "\["

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

A better, more controlled approach would be to edit serverclass.conf directly.

http://docs.splunk.com/Documentation/Splunk/7.0.2/Updating/Updateconfigurations#When_editing_serverc...

You can looks for which serverclass.conf is storing your serverclass configuration by using btool command on the deployment server:

./splunk btool serverclass list --debug | grep "\["

View solution in original post

0 Karma

Builder

Thank you for the reply. I will look at the post and check the tool.

But the part I am not clear on is writing the stanzas, so here is my attempt

in /opt/splunk/etc/system/local
edit serverclass.conf to create class and add clients

#This server class is for my AWS instances
[serverClass:AWS_instances]
whitelist.0 = ip-192-168-1-* (for example all the instance names start with ip-192-168-1-[x].ec2.internal)

So now I need to create some inputs and outputs for the class (for example awsinputs, awsoutputs)
in /opt/splunk/etc/deployment-apps/

this is where I get stuck...

I see previously created deployment-apps (folders) in the directory,
when I cd into them I see default and local, local has only app.conf with one comment #Autogenerated file
but default has an outputs.conf with the correct information.

The inputs will be monitoring a log source, which I could enter on each end point but would rather deploy an app.

Please advise how I create the two apps by CLI? Or possibly I am missing the CLI instructions.

Do I create a couple more stanzas in serverclass.conf? will that auto-create the deployment apps?

#This is for aws instances inputs
[serverClass:AWS_instances:app:aws_inputs]
stateOnClient = enabled
restartSplunkd = true

#This is for aws instances outputs
[serverClass:AWS_instances:app:aws_outputs]
stateOnClient = enabled
restartSplunkd = true

Thank you

0 Karma

SplunkTrust
SplunkTrust

You create the app on /opt/splunk/etc/deployment-apps/YourAppName (which will include a default OR local directory with inputs.conf with your monitoring statements). I'll recommend you create a awspropstransforms app which will have your sourcetype definitions (line breaking , timestamp parsing etc) as well. This app will go to your indexers Or heavy forwarders. Now to assign your aws servers (deployment clients) those apps, you'll add the app assignment stanza within your AWS_instances serverclass, like this

 [serverClass:AWS_instances]
 whitelist.0 = ip-192-168-1-*
restartSplunkd = true
[serverClass:AWS_instances:app:aws_outputs]
[serverClass:AWS_instances:app:aws_outputs]

Other attributes (stateOnClient) are using default values, so I'm ignoring it. Reload or restart your deployment server instance for these changes to take effect (reload happens automatically when you make these changes by UI).

0 Karma

Builder

Thank you very much for the outstanding explanation.

Please convert to an answer so I can accept.

0 Karma

SplunkTrust
SplunkTrust

Here you go.

0 Karma

SplunkTrust
SplunkTrust

You can see this for what all stuff you add to your serverclass.conf

http://docs.splunk.com/Documentation/Splunk/7.0.3/Updating/Useserverclass.conf

0 Karma