Deployment Architecture

Why second serverclass.conf located in search app after restarting deployment server?


I ran into an issue today after restarting my deployment server. After restarting, it would no longer load the "Forwarder Management" page, stating that there was an error in serverclass.conf. In the process of trying to find the error, I used btool to list the serverclass configurations. I noticed that there were a few stanzas located in "/opt/splunk/etc/apps/search/local/serverclass.conf". I never created this file and it only had about 6 stanzas in it, while my main serverclass.conf file in etc/system/local has over 80 stanzas.

I'm trying to prevent this issue from repeating, but I have no idea how the serverclass.conf file in etc/apps/search/local even came to exist. Any ideas?


If you use the Add Inputs wizard to create remote inputs, it will edit the etc/apps/search/local/serverclass.conf
I'm not sure why. I am also pretty sure that any changes made through the CLI will also be saved in etc/apps/search/local/serverclass.conf and not etc/system/local/serverclass.conf

0 Karma


I have two serverClasses and their associated stanzas defining the corresponding Deployment apps that appeared in ~/etc/apps/search/local/serverclass.conf and I did not do either of these two things. I have no idea why they landed there. That feels buggy to me. There must be something you can do before going to Forwarder management that causes it to place newly-defined serverClass(es) in the Search app's local.

I was freaking-out when I looked in ~/etc/system/local/serverclass.conf for a serverClass to remind myself what the Deployment app was and I did not find it, yet I found it in Forwarder management. I would not have guessed where it went until I saw

0 Karma


Did you by chance end up with the deployment server as a client of itself? We have ours blacklisted. And are you by chance distributing a search app via deployment-apps?

0 Karma


The deployment server hasn't ended up as a deployment client, we also have it blacklisted. We did deploy a search app via deployment-apps to our search heads, but later deleted it. The search app was located under etc/deploymentapps/search-2. That stanza, or anything related to it doesn't show up in the suspicious serverclass.conf file.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...