Getting Data In

Changing UF outputs.conf using deployment server

clymbouris
Path Finder

I was wondering if I can use our deployment server to change the outputs.conf on our windows universal forwarders so they point to another indexer if needed to.. is there any standard practice for doing this?

Many thanks

1 Solution

dwaddle
SplunkTrust
SplunkTrust

Yes you can absolutely do this, subject to Splunk's rules for configuration file precedence. Specifically, anything you configure in $SPLUNK_HOME/etc/system/local/outputs.conf can override an outputs.conf pushed by deployment server.

Our practice for doing this is having a small app that we deploy using deployment server that has the correct outputs.conf in it. We make sure that when we install the UF we do not configure it with any local outputs.conf configuration. (In fact, we try to make sure that UF gets NO configuration except from deployment server)

View solution in original post

yannK
Splunk Employee
Splunk Employee

usual method is to :

  • create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf
  • define a serverclass.conf on the deployment server (to match clients to apps)
  • configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

luisgustavo
Explorer

The path in you answer is misleading. I thought "default" was the app name, but it's a folder inside the app.
It should read:
- create an app in the deployment server in .../etc/deployment-apps/appname/default/outputs.conf

Also, 2nd step can be done in splunk web interface, in Settings > Forwarder Management

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Yes you can absolutely do this, subject to Splunk's rules for configuration file precedence. Specifically, anything you configure in $SPLUNK_HOME/etc/system/local/outputs.conf can override an outputs.conf pushed by deployment server.

Our practice for doing this is having a small app that we deploy using deployment server that has the correct outputs.conf in it. We make sure that when we install the UF we do not configure it with any local outputs.conf configuration. (In fact, we try to make sure that UF gets NO configuration except from deployment server)

View solution in original post

clymbouris
Path Finder

Thanks a lot dwaddle it's clear now 🙂

btran
Explorer

the answer is misleading. you can change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf
thank you

0 Karma

dstuder
Path Finder

I believe you meant to say ...

the answer is misleading. you can't change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf
thank you

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Because outputs.conf - like most any other Splunk config file - is merged together from all of the various apps in the installation. Several different outputs.conf files are all pulled together into a "master copy" according to defined rules. You can look at how this is done by using btool. http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/Usebtooltotroubleshootconfigurations

clymbouris
Path Finder

that's probably what I'm looking for.. but even If the /system/local/outputs.conf and /apps/UniversalForwarder/.../output.conf aren't configured how does then /UnivesalForwarder/../output.conf picks up the indexer from the correct output.conf of your app?

0 Karma