Deployment Architecture
Highlighted

How to push $SPLUNK_HOME/system/local/outputs.conf from the Deployer to Search Head Cluster members to send internal data to indexers?

Communicator

Dear SPLUNK Community,

I want to configure the $SPLUNK_HOME/etc/system/local/outputs.conf in all Search Heads in my cluster to send internal data to indexers.

As I want to use the Deployer for this purpose, I prepared the outputs.conf in the Deployer.

However, on the Deployer, the source directory is:
a) $SPLUNKHOME/etc/shcluster/apps, or
b) $SPLUNK
HOME/etc/shcluster/users

And the target directory on the Search Head side, eventually is:
a) $SPLUNKHOME/etc/apps, or
b) $SPLUNK
HOME/etc/users

But, that is not where I want to place the file. Should it not be $SPLUNK_HOME/etc/system/local/outputs.conf ???

Please help, am I missing something here?

Thanks
Ishaan

0 Karma
Highlighted

Re: How to push $SPLUNK_HOME/system/local/outputs.conf from the Deployer to Search Head Cluster members to send internal data to indexers?

Influencer

You don't necessarily have to place it under etc/system/local on all the members.

Create an app on the deployer and put outputs.conf within that app like below and push the bundle

$SPLUNK_HOME/etc/shcluster/apps/my_outputs/local/outputs.conf

Now, all the members will receive the my_outputs app.

Make sure there is no other outputs.conf on the members.

View solution in original post