Solved: Changing UF outputs.conf using deployment server

clymbouris · ‎11-14-2012

I was wondering if I can use our deployment server to change the outputs.conf on our windows universal forwarders so they point to another indexer if needed to.. is there any standard practice for doing this?

Many thanks

dwaddle · ‎11-14-2012

Yes you can absolutely do this, subject to Splunk's rules for configuration file precedence. Specifically, anything you configure in $SPLUNK_HOME/etc/system/local/outputs.conf can override an outputs.conf pushed by deployment server.

Our practice for doing this is having a small app that we deploy using deployment server that has the correct outputs.conf in it. We make sure that when we install the UF we do not configure it with any local outputs.conf configuration. (In fact, we try to make sure that UF gets NO configuration except from deployment server)

View solution in original post

yannK · ‎11-14-2012

usual method is to :

create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf
define a serverclass.conf on the deployment server (to match clients to apps)
configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

luisgustavo · ‎10-23-2014

The path in you answer is misleading. I thought "default" was the app name, but it's a folder inside the app.
It should read:
- create an app in the deployment server in .../etc/deployment-apps/appname/default/outputs.conf

Also, 2nd step can be done in splunk web interface, in Settings > Forwarder Management

dwaddle · ‎11-14-2012

Yes you can absolutely do this, subject to Splunk's rules for configuration file precedence. Specifically, anything you configure in $SPLUNK_HOME/etc/system/local/outputs.conf can override an outputs.conf pushed by deployment server.

Our practice for doing this is having a small app that we deploy using deployment server that has the correct outputs.conf in it. We make sure that when we install the UF we do not configure it with any local outputs.conf configuration. (In fact, we try to make sure that UF gets NO configuration except from deployment server)

clymbouris · ‎11-14-2012

Thanks a lot dwaddle it's clear now 🙂

btran · ‎02-03-2015

the answer is misleading. you can change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf
thank you

dstuder · ‎05-01-2020

I believe you meant to say ...

the answer is misleading. you can't change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf
thank you

dwaddle · ‎11-14-2012

Because outputs.conf - like most any other Splunk config file - is merged together from all of the various apps in the installation. Several different outputs.conf files are all pulled together into a "master copy" according to defined rules. You can look at how this is done by using btool. http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/Usebtooltotroubleshootconfigurations

clymbouris · ‎11-14-2012

that's probably what I'm looking for.. but even If the /system/local/outputs.conf and /apps/UniversalForwarder/.../output.conf aren't configured how does then /UnivesalForwarder/../output.conf picks up the indexer from the correct output.conf of your app?

Changing UF outputs.conf using deployment server

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Enterprise Security Content Update (ESCU) | New Releases