Deployment Architecture

Why second serverclass.conf located in search app after restarting deployment server?


I ran into an issue today after restarting my deployment server. After restarting, it would no longer load the "Forwarder Management" page, stating that there was an error in serverclass.conf. In the process of trying to find the error, I used btool to list the serverclass configurations. I noticed that there were a few stanzas located in "/opt/splunk/etc/apps/search/local/serverclass.conf". I never created this file and it only had about 6 stanzas in it, while my main serverclass.conf file in etc/system/local has over 80 stanzas.

I'm trying to prevent this issue from repeating, but I have no idea how the serverclass.conf file in etc/apps/search/local even came to exist. Any ideas?


If you use the Add Inputs wizard to create remote inputs, it will edit the etc/apps/search/local/serverclass.conf
I'm not sure why. I am also pretty sure that any changes made through the CLI will also be saved in etc/apps/search/local/serverclass.conf and not etc/system/local/serverclass.conf

0 Karma


I have two serverClasses and their associated stanzas defining the corresponding Deployment apps that appeared in ~/etc/apps/search/local/serverclass.conf and I did not do either of these two things. I have no idea why they landed there. That feels buggy to me. There must be something you can do before going to Forwarder management that causes it to place newly-defined serverClass(es) in the Search app's local.

I was freaking-out when I looked in ~/etc/system/local/serverclass.conf for a serverClass to remind myself what the Deployment app was and I did not find it, yet I found it in Forwarder management. I would not have guessed where it went until I saw

0 Karma


Did you by chance end up with the deployment server as a client of itself? We have ours blacklisted. And are you by chance distributing a search app via deployment-apps?

0 Karma


The deployment server hasn't ended up as a deployment client, we also have it blacklisted. We did deploy a search app via deployment-apps to our search heads, but later deleted it. The search app was located under etc/deploymentapps/search-2. That stanza, or anything related to it doesn't show up in the suspicious serverclass.conf file.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...