Deployment Architecture

Replacing an indexer in forwarder's outputs.conf using a deployment server

frednuffer
Explorer

Can I remove an indexer from deployed forwarders' outputs.conf using the deployment server?

Labels (1)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

When/if you are using separate TA for those config it’s easy task. Just update outputs.conf in DS and in next round it has changed. If you have output.conf under system/local it is also doable with some tricks. You should found instructions by googling. But anyhow I strongly propose that you should always use a separate app/TA for these configurations.

r. Ismo

richgalloway
SplunkTrust
SplunkTrust

If the outputs.conf file is part of an app and NOT in $SPLUNK_HOME/etc/system/local then, yes, the DS can update that app with a new outputs.conf that is missing the removed indexer.

If the forwarder's outputs.conf file IS in etc/system/local then all is not lost.  The DS can push the same app as above, but must also deliver a scripted input that deletes $SPLUNK_HOME/etc/system/local/outputs.conf.  Make sure the settings in the deleted outputs.conf file are replaced by settings in outputs.conf files delivered in one or more apps.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...