Deployment Architecture

Why second serverclass.conf located in search app after restarting deployment server?


I ran into an issue today after restarting my deployment server. After restarting, it would no longer load the "Forwarder Management" page, stating that there was an error in serverclass.conf. In the process of trying to find the error, I used btool to list the serverclass configurations. I noticed that there were a few stanzas located in "/opt/splunk/etc/apps/search/local/serverclass.conf". I never created this file and it only had about 6 stanzas in it, while my main serverclass.conf file in etc/system/local has over 80 stanzas.

I'm trying to prevent this issue from repeating, but I have no idea how the serverclass.conf file in etc/apps/search/local even came to exist. Any ideas?


If you use the Add Inputs wizard to create remote inputs, it will edit the etc/apps/search/local/serverclass.conf
I'm not sure why. I am also pretty sure that any changes made through the CLI will also be saved in etc/apps/search/local/serverclass.conf and not etc/system/local/serverclass.conf

0 Karma


I have two serverClasses and their associated stanzas defining the corresponding Deployment apps that appeared in ~/etc/apps/search/local/serverclass.conf and I did not do either of these two things. I have no idea why they landed there. That feels buggy to me. There must be something you can do before going to Forwarder management that causes it to place newly-defined serverClass(es) in the Search app's local.

I was freaking-out when I looked in ~/etc/system/local/serverclass.conf for a serverClass to remind myself what the Deployment app was and I did not find it, yet I found it in Forwarder management. I would not have guessed where it went until I saw

0 Karma


Did you by chance end up with the deployment server as a client of itself? We have ours blacklisted. And are you by chance distributing a search app via deployment-apps?

0 Karma


The deployment server hasn't ended up as a deployment client, we also have it blacklisted. We did deploy a search app via deployment-apps to our search heads, but later deleted it. The search app was located under etc/deploymentapps/search-2. That stanza, or anything related to it doesn't show up in the suspicious serverclass.conf file.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...