Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Replacing an indexer in forwarder's outputs.conf using a deployment server

frednuffer
Explorer
‎03-10-2021 10:51 AM

Can I remove an indexer from deployed forwarders' outputs.conf using the deployment server?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-10-2021 11:51 AM

When/if you are using separate TA for those config it’s easy task. Just update outputs.conf in DS and in next round it has changed. If you have output.conf under system/local it is also doable with some tricks. You should found instructions by googling. But anyhow I strongly propose that you should always use a separate app/TA for these configurations.

r. Ismo

Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2021 11:51 AM

If the outputs.conf file is part of an app and NOT in $SPLUNK_HOME/etc/system/local then, yes, the DS can update that app with a new outputs.conf that is missing the removed indexer.

If the forwarder's outputs.conf file IS in etc/system/local then all is not lost.  The DS can push the same app as above, but must also deliver a scripted input that deletes $SPLUNK_HOME/etc/system/local/outputs.conf.  Make sure the settings in the deleted outputs.conf file are replaced by settings in outputs.conf files delivered in one or more apps.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...