Hello, i seem to have a basic missunderstanding how the Splunk 4.1.3 Deployment Server works. I want to deploy a simple inputs.conf to a group of Splunk Forwarder.
I did already the following:
1.) Setup a Deployment Server (same as my searchhead)
2.) Defined serverclass.conf:
[serverClass:PUC-Linux-LWF]
filterType = whitelist
repositoryLocation = /opt/splunk-searchhead/splunk/etc/deployment-apps/PUC-Linux-LWF
whitelist.0 = *
3.) Enabled the deployment clients (as described). Handshaking is working:
*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/bin# ./splunk list deploy-clients
Deployment client: ip=10.111.128.98, dns=splunk-a.puc.ov.otto.de, hostname=splunk-a, mgmt=8589, build=80534, name=deploymentClient, id=connection_10.111.128.98_8589_splunk-a.puc.ov.otto.de_splunk-a_deploymentClient, utsname=linux-x86_64
utsname: linux-x86_64
name: deploymentClient
ip: 10.111.128.98
hostname: splunk-a
build: 80534
dns: splunk-a.puc.ov.otto.de
mgmt: 8589
phoneHomeTime: Thu Aug 12 19:26:39 2010
id: connection_10.111.128.98_8589_splunk-a.puc.ov.otto.de_splunk-a_deploymentClient*
4.) Created the directories and the inputs.conf that i want to distribute:
*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/etc/deployment-apps/PUC-Linux-LWF/default# cat inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
disabled = 1
index = idx_dev_splunk
#TEST*
5.) Reloading Deploy-Server:
*lfrprax@splunk-a:/opt/splunk-searchhead/splunk/bin# ./splunk reload deploy-server
Reloading server classes (and checking for any new or removed classes).*
Here´s my question...where is the new inputs.conf on my deployment client? I can´t find it!???
Please, help.
You'll need to define your server class an app this way in your serverclass.conf:
[serverClass:PUC-Linux-LWF]
filterType = whitelist
whitelist.0 = *
[serverClass:PUC-Linux-LWF:app:PUC-Linux-LWF]
stateOnClient=enabled
Then the distribution of the configuration should work.
The configuation will appear in $SPLUNK_HOME/etc/apps/PUC-Linux-LWF/default/inputs.conf
EDIT:
For troubleshooting deployment install-failures, this search was quite handy in the past:
index="_internal" sourcetype="splunkd" component="DeploymentMetrics" | rename scName as serverClass fqname as install_location hostname as deploymentClient | table _time deploymentClient ip serverClass appName event status reason install_location
You'll need to define your server class an app this way in your serverclass.conf:
[serverClass:PUC-Linux-LWF]
filterType = whitelist
whitelist.0 = *
[serverClass:PUC-Linux-LWF:app:PUC-Linux-LWF]
stateOnClient=enabled
Then the distribution of the configuration should work.
The configuation will appear in $SPLUNK_HOME/etc/apps/PUC-Linux-LWF/default/inputs.conf
EDIT:
For troubleshooting deployment install-failures, this search was quite handy in the past:
index="_internal" sourcetype="splunkd" component="DeploymentMetrics" | rename scName as serverClass fqname as install_location hostname as deploymentClient | table _time deploymentClient ip serverClass appName event status reason install_location
Ok, i found also out, that for more than one forwarder i have to create more whitelist entries.
E.g.:
This entry:
whitelist.0 = blade583.puc.ov.otto.de, blade488.puc.ov.otto.de
...is not working.
If I use this:
whitelist.0 = blade583.puc.ov.otto.de
whitelist.1 = blade488.puc.ov.otto.de
...it is working.
How can i add 80+ forwarder entries to the whitelist?
I deleted the deployment app repository and recreated it manually, as well as edited the serverclass.conf manually. Now it is working!
Ok...support suggested to delete the entire apps and recreate them manually. i did that...and it works now!
I did that, but the inputs.conf does not get distributed. Must be something simple i am missing?
thank you, i´ll give it a try.
ziegfried's answer is basically right. You have to define an app containing the configurations, and specify the app under the serverClass definition.
you could try running the search I've added to the answer on your deployment server
Even more...i found out the deployment server is creating a temp directory here:
$SPLUNK_HOME/var/run/tmp/PUC-Linux-LWF
But that is also empty.
Why is it not transmitting my inputs.conf????
Ok...i found out that the deployment client is indeed creating a subdirectory here:
$SPLUNK_HOME/var/run/PUC-Linux-LWF
But the directory is empty. No sight of the inputs.conf.
Not working, sorry.
Could it be that it is not working, since i use the searchhead as deployment server, which is using only a splunk forwarder license?
Sorry, still not working.
Maybe i have to define the targetRepositoryLocation?
Or is the problem that my target Splunkforwarder is using a different management port?
I´ll open a support ticket.