Deployment Architecture

How to point forwarders to new Splunk instance

erinbwest
New Member

We went through an acquisition and both of us have Splunk instances. We want to migrate from our Splunk Cloud instance to their Splunk on premise Enterprise instance. Do I only need to change the output.conf files on the forwarders to point to the Enterprise instance? The current forwarders are unfortunately a CentoS linux version I have not worked with before. Thank you.

Tags (1)
0 Karma

woodcock
Esteemed Legend

Yes, you have to send an updated outputs.conf to the forwarders. Generally this is done through a deployment server. If your PS guys were good, they deployed a deploymentclient.conf app through the deployment server which should also update so that it points to the new DS.

0 Karma

amiracle
Splunk Employee
Splunk Employee

This is all done using the Splunk Cloud Forwarder App that you download from your Splunk Cloud instance. This is found on our Splunk Cloud User Manual. For the answer to your question, you can go to the Getting Data In.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi erinbwest,
I don't know how you managed your installation in the past but the best way is to create an App containing two files:

  • deploymentclient.conf,
  • outputs.conf.

The first one contains the address of the Deployment Server and the second one contains the addresses of the Indexers.
In this way, you can manage configuration change in only one point.

So, now the questions are:

  • have you a Deployment Server?
  • where are now the above files?

If you already have a Deployment Server, you have to create an app with the above files and deploy it to all the forwarders.
If you haven't a DS (or another tool), you have to manually manage this deploy and it isn't a good idea.

If the above files are in $SPLUNK_HOME/etc/systel/local, you have to delete them and deploy the above app, if they already are in an app, it's very easy because you have only to change the IP addresses (or the DNS name) of the new Indexers in outputs.con and of the DS in deploymentclient.conf.

Before to start this job, check if all the ports between Forwarders and Indexers (usually 9997) and Deployment Server (usually 8089) are open.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...