Replacing an indexer in forwarder's outputs.conf u...

frednuffer · ‎03-10-2021

Can I remove an indexer from deployed forwarders' outputs.conf using the deployment server?

isoutamo · ‎03-10-2021

When/if you are using separate TA for those config it’s easy task. Just update outputs.conf in DS and in next round it has changed. If you have output.conf under system/local it is also doable with some tricks. You should found instructions by googling. But anyhow I strongly propose that you should always use a separate app/TA for these configurations.

r. Ismo

richgalloway · ‎03-10-2021

If the outputs.conf file is part of an app and NOT in $SPLUNK_HOME/etc/system/local then, yes, the DS can update that app with a new outputs.conf that is missing the removed indexer.

If the forwarder's outputs.conf file IS in etc/system/local then all is not lost. The DS can push the same app as above, but must also deliver a scripted input that deletes $SPLUNK_HOME/etc/system/local/outputs.conf. Make sure the settings in the deleted outputs.conf file are replaced by settings in outputs.conf files delivered in one or more apps.

---
If this reply helps you, Karma would be appreciated.

Replacing an indexer in forwarder's outputs.conf using a deployment server

forwarder management

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!