Deployment Architecture

The Client forwarder management not showing the clients

AAlhabba
Explorer

Dears,

       After upgraded Splunk from 9.1.2 version to 9.2.0 version, the deployment server not showing the clients, but Splunk receiving logs from clients, and also the client agents showing on all Splunk servers under setting --> Forwarder Managment except Deployment server, I don't know how that occurred, I didn't change anything.

Kindly your support for that.

 

Best Regards, 

Labels (1)
0 Karma
1 Solution

AAlhabba
Explorer

Dears,

 

        I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server.

 

[indexAndForward]

index = true

selectiveIndexing = true

 

 

You can see below URL:

 

Upgrade pre-9.2 deployment servers - Splunk Documentation

View solution in original post

AJ_splunk1
New Member

Does this work with splunk cloud as well? WE have splunk onprem deployment server, indexers are all in the cloud and experiencing the same where clients are not showing up after an update to 9.2.x. They are phoning home however as per the logs

0 Karma

AJ_splunk1
New Member

nvm figured it out. It was the output.conf in this app - etc/apps/SplunkDeploymentServerConfig. Documentation is a bit confusing for this

0 Karma

learningmode
Loves-to-Learn Lots

Hi @AJ_splunk1, just a heads-up that https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers states that " In particular, there is a new system-generated app, etc/apps/SplunkDeploymentServerConfig, which contains configuration files necessary to the proper functioning of the deployment server. Do not alter this directory or its files in any way."

I chose to implement the 9.2 fix (also shown on the page link above) as a separate app in \etc\apps on the ds and just called something like "Fix_DSClientList" so it's more obvious there's a modification in place.

I hope that helps.

0 Karma

AAlhabba
Explorer

Dears,

 

        I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server.

 

[indexAndForward]

index = true

selectiveIndexing = true

 

 

You can see below URL:

 

Upgrade pre-9.2 deployment servers - Splunk Documentation

JRW
Splunk Employee
Splunk Employee

Another fix to try is as follows:

Find your distsearch.conf and then find the stanza that has default = true in it. In that stanza, make sure ocalhost:localhost is listed in the setting below

 

servers = 

 

 

For example, it was like this before:

distributedSearch:testgroup1
default = true
servers = somehostname.company.com

Once you find that stanza, add localhost to make it look like this (and it's literal in that it's simply localhost:localhost)

distributedSearch:testgroup1
default = true
servers = somehostname.company.com, localhost:localhost

Restart the DS and from the internal thread within a few minutes/hours the clients should start to populate again

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Thereare no miracles. If they are showing in the Forwarder Management section on a server different than your designated DS, they must have been pointed there somehow. Check your deployment server definition on your forwarders.

0 Karma

landrujw
Engager

We are experiencing the same thing. The clients are showing up in the client_events logs checking in and phoning home on the deployment server. But after updating to 9.2 they aren't appearing under the Settings>Forwarder Management page on the DS. We have not made any changes to the forwarders yet.

0 Karma

mykol_j
Path Finder

FWIW, happening here as well, with 9.2.0.1.

Checked all The Things mentioned in that doc everyone keeps referencing, including those stanzas mentioned numerous times here.

Another symptom of mine is that the ForwarderManager (deployer) doesn't appear in my monitored servers in the SplunkManager (aka Master).

Tags (1)
0 Karma

mykol_j
Path Finder

This is nuts. Go figure.

I ended up fixing this my removing the "Deployment Server" role from the system, saving it, then adding it back, restarting the service, bam! Fixed.

I'd rather be lucky than good...

0 Karma

AAlhabba
Explorer

Hi,

Did you open case with Splunk support about this issue, I already opened still Splunk support trying to resolve it.

 

Best Regards,

0 Karma

ccsfdave
Builder

Any luck with support?  I tried the outputs.conf solution in this thread but it doesn't seem to have worked.  

 

Pre-upgrade from 9.0.x to 9.2.1 I had 300ish clients in my DS.  right now only 14 are showing up.

 

Thanks,

Dave

0 Karma

landrujw
Engager

Applying the stanza you referenced below worked for us as well:
 

[indexAndForward]
index = true
selectiveIndexing = true   

 Thanks!

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...