Deployment Architecture

Replacing an indexer in forwarder's outputs.conf using a deployment server

frednuffer
Explorer

Can I remove an indexer from deployed forwarders' outputs.conf using the deployment server?

Labels (1)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

When/if you are using separate TA for those config it’s easy task. Just update outputs.conf in DS and in next round it has changed. If you have output.conf under system/local it is also doable with some tricks. You should found instructions by googling. But anyhow I strongly propose that you should always use a separate app/TA for these configurations.

r. Ismo

richgalloway
SplunkTrust
SplunkTrust

If the outputs.conf file is part of an app and NOT in $SPLUNK_HOME/etc/system/local then, yes, the DS can update that app with a new outputs.conf that is missing the removed indexer.

If the forwarder's outputs.conf file IS in etc/system/local then all is not lost.  The DS can push the same app as above, but must also deliver a scripted input that deletes $SPLUNK_HOME/etc/system/local/outputs.conf.  Make sure the settings in the deleted outputs.conf file are replaced by settings in outputs.conf files delivered in one or more apps.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...