Dears,
After upgraded Splunk from 9.1.2 version to 9.2.0 version, the deployment server not showing the clients, but Splunk receiving logs from clients, and also the client agents showing on all Splunk servers under setting --> Forwarder Managment except Deployment server, I don't know how that occurred, I didn't change anything.
Kindly your support for that.
Best Regards,
Dears,
I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server.
[indexAndForward]
index = true
selectiveIndexing = true
You can see below URL:
I have tried all the recommendations in this thread and non of them works. I upgraded from 9.0 to 9.3, but the clients are not phoning in.
This is not working for me 😞
I have the app in place on my DS (/etc/apps/DS_Fix/local/outputs.conf
@AAlhabba , thank you for the solution .Worked like a charm.
Does this work with splunk cloud as well? WE have splunk onprem deployment server, indexers are all in the cloud and experiencing the same where clients are not showing up after an update to 9.2.x. They are phoning home however as per the logs
nvm figured it out. It was the output.conf in this app - etc/apps/SplunkDeploymentServerConfig. Documentation is a bit confusing for this
Hi @AJ_splunk1, just a heads-up that https://docs.splunk.com/Documentation/Splunk/9.2.0/Updating/Upgradepre-9.2deploymentservers states that " In particular, there is a new system-generated app, etc/apps/SplunkDeploymentServerConfig, which contains configuration files necessary to the proper functioning of the deployment server. Do not alter this directory or its files in any way."
I chose to implement the 9.2 fix (also shown on the page link above) as a separate app in \etc\apps on the ds and just called something like "Fix_DSClientList" so it's more obvious there's a modification in place.
I hope that helps.
Dears,
I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server.
[indexAndForward]
index = true
selectiveIndexing = true
You can see below URL:
Boy am I glad to have found this thread. Got my problem solved, thank you so much ❤️
Another fix to try is as follows:
Find your distsearch.conf and then find the stanza that has default = true in it. In that stanza, make sure localhost:localhost is listed in the setting below
servers =
For example, it was like this before:
distributedSearch:testgroup1
default = true
servers = somehostname.company.com
Once you find that stanza, add localhost to make it look like this (and it's literal in that it's simply localhost:localhost)
distributedSearch:testgroup1
default = true
servers = somehostname.company.com, localhost:localhost
Restart the DS and from the internal thread within a few minutes/hours the clients should start to populate again
This worked instantly! I appreciate you!
Thanks,
JJJ
This was so helpful and fixed my problem, thankyou very much!
Thereare no miracles. If they are showing in the Forwarder Management section on a server different than your designated DS, they must have been pointed there somehow. Check your deployment server definition on your forwarders.
We are experiencing the same thing. The clients are showing up in the client_events logs checking in and phoning home on the deployment server. But after updating to 9.2 they aren't appearing under the Settings>Forwarder Management page on the DS. We have not made any changes to the forwarders yet.
FWIW, happening here as well, with 9.2.0.1.
Checked all The Things mentioned in that doc everyone keeps referencing, including those stanzas mentioned numerous times here.
Another symptom of mine is that the ForwarderManager (deployer) doesn't appear in my monitored servers in the SplunkManager (aka Master).
This is nuts. Go figure.
I ended up fixing this my removing the "Deployment Server" role from the system, saving it, then adding it back, restarting the service, bam! Fixed.
I'd rather be lucky than good...
Hmmm, are you talking about the role defined within the Monitoring Console? I am having tons of issues resolving this.
Hi,
Did you open case with Splunk support about this issue, I already opened still Splunk support trying to resolve it.
Best Regards,
Any luck with support? I tried the outputs.conf solution in this thread but it doesn't seem to have worked.
Pre-upgrade from 9.0.x to 9.2.1 I had 300ish clients in my DS. right now only 14 are showing up.
Thanks,
Dave
Applying the stanza you referenced below worked for us as well:
[indexAndForward] index = true selectiveIndexing = true
Thanks!
Created a local directory within the SplunkDeploymentServerConfig app. Added the outputs.conf
/opt/splunk/etc/apps/SplunkDeploymentServerConfig/local/outputs.conf
[indexAndForward]
index = true
selectiveIndexing = true
Clients started reporting to the DS after restarting Splunk. Thankful I found this thread.