Getting Data In

Changing UF outputs.conf using deployment server

clymbouris
Path Finder

I was wondering if I can use our deployment server to change the outputs.conf on our windows universal forwarders so they point to another indexer if needed to.. is there any standard practice for doing this?

Many thanks

1 Solution

dwaddle
SplunkTrust
SplunkTrust

Yes you can absolutely do this, subject to Splunk's rules for configuration file precedence. Specifically, anything you configure in $SPLUNK_HOME/etc/system/local/outputs.conf can override an outputs.conf pushed by deployment server.

Our practice for doing this is having a small app that we deploy using deployment server that has the correct outputs.conf in it. We make sure that when we install the UF we do not configure it with any local outputs.conf configuration. (In fact, we try to make sure that UF gets NO configuration except from deployment server)

View solution in original post

yannK
Splunk Employee
Splunk Employee

usual method is to :

  • create an app in the deployment server in .../etc//deployment-apps//default/outputs.conf
  • define a serverclass.conf on the deployment server (to match clients to apps)
  • configure the forwarders to point to the deployment-server in deploymentclient.conf

see http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Aboutdeploymentserver

only potential hiccup, if your existing outputs.conf is already in /etc/system/local, then it will have precedence on the one in the deployed app, so move it away first.

luisgustavo
Explorer

The path in you answer is misleading. I thought "default" was the app name, but it's a folder inside the app.
It should read:
- create an app in the deployment server in .../etc/deployment-apps/appname/default/outputs.conf

Also, 2nd step can be done in splunk web interface, in Settings > Forwarder Management

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Yes you can absolutely do this, subject to Splunk's rules for configuration file precedence. Specifically, anything you configure in $SPLUNK_HOME/etc/system/local/outputs.conf can override an outputs.conf pushed by deployment server.

Our practice for doing this is having a small app that we deploy using deployment server that has the correct outputs.conf in it. We make sure that when we install the UF we do not configure it with any local outputs.conf configuration. (In fact, we try to make sure that UF gets NO configuration except from deployment server)

clymbouris
Path Finder

Thanks a lot dwaddle it's clear now 🙂

btran
Explorer

the answer is misleading. you can change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf
thank you

0 Karma

dstuder
Communicator

I believe you meant to say ...

the answer is misleading. you can't change the $splunk_home/etc/system/local/outputs.conf file. you can only change $splunk_home/etc/apps/$app_name$/local/outputs.conf
thank you

dwaddle
SplunkTrust
SplunkTrust

Because outputs.conf - like most any other Splunk config file - is merged together from all of the various apps in the installation. Several different outputs.conf files are all pulled together into a "master copy" according to defined rules. You can look at how this is done by using btool. http://docs.splunk.com/Documentation/Splunk/5.0/Troubleshooting/Usebtooltotroubleshootconfigurations

clymbouris
Path Finder

that's probably what I'm looking for.. but even If the /system/local/outputs.conf and /apps/UniversalForwarder/.../output.conf aren't configured how does then /UnivesalForwarder/../output.conf picks up the indexer from the correct output.conf of your app?

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...