Getting Data In

During the forwarder Install, Is it possible to set up deploymentclient.conf parameters via the command line?

prakhersinghal
Explorer

Hello,

Is it possible to set up deploymentclient.conf parameters via the command line?

I have used DEPLOYMENT_SERVER parameter during forwarder installation via the command line. It adds the target-broker, but I am looking for a command line option to set the parameters like below:

[deployment-client]
disabled = false
phoneHomeIntervalInSecs = 1800
handshakeRetryIntervalInSecs = 12

Does anybody know how to do it?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use the command line you're currently using. Then have your deployment server push an app that contains a deploymentclient.conf file with the desired settings.

I'd even go a step further and say you shouldn't use the deploy-poll CLI command option. That's because it creates etc/system/local/deploymentclient.conf, which can't be overridden by an app from your DS. A better process is to install the vanilla UF then copy your deployment client app only to the etc/apps directory. Restart the forwarder and it will connect to your DS to get the rest of its apps.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Use the command line you're currently using. Then have your deployment server push an app that contains a deploymentclient.conf file with the desired settings.

I'd even go a step further and say you shouldn't use the deploy-poll CLI command option. That's because it creates etc/system/local/deploymentclient.conf, which can't be overridden by an app from your DS. A better process is to install the vanilla UF then copy your deployment client app only to the etc/apps directory. Restart the forwarder and it will connect to your DS to get the rest of its apps.

---
If this reply helps you, Karma would be appreciated.

prakhersinghal
Explorer

Thanks for your reply and suggestion. Really appreciate it.
I am not using "deploy-poll" to set deployment manager rather I set deployment manager during UF installation which still creates deploymentclient.conf in /etc/system/local.

splunkforwarder-xxx-xxx.msi INSTALLDIR="C:\dir" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="Dep_Server:8089" SERVICESTARTTYPE=auto /quiet

Some background:
I have used the same method for thousands of servers during Splunk rollout so that they can report to DS and I can assign server class and app to clients. But, Splunk scope has increased and now I have ~ 6000 servers reporting to one DS which makes DS UI unresponsive and it's difficult to deploy the app.

I am building a few more DS to distribute the load and also wants to increase the PhoneHomeInterval to reduce client checking app update every minute.

If I just go for vanilla UF install and don't set Deployment Server during install, the client server will not report to DM & I will have to push deployment client config using configuration mgmt or manually.

The solution?
If I keep the same install process intact and when a client reports to DS, I assign the deployment app via DS which will go to /etc/app directory. There will be two deploymentclients.conf and as per precedence, the /etc/app configuration will take charge.

Is this a good way to do these changes or anything that you can suggest?

Sorry about the long message & thanks for your time on helping in this.

0 Karma

broberg
Communicator

We are using a install package after the uf installation so the UF get the right config. Its basicly and extra rpm package with some scripts that are executed depending on the host and enviroment (10 000+ UFs currently up and running and its the best and most secure way we found so far, but open for better solutions!)

prakhersinghal
Explorer

Thanks. That's an option. I think @richgalloway suggested a similar approach and looks like the best one.

One thing I have not tested is that if I have 2 different set of configs:
1) one in "/etc/system/local" deploymentclient.conf
2) Seconds in "/etc/app/app_name/local" deploymentclient.conf

Will Splunk merge it or just ignore the lower precedence config? I will test it but in case anyone knows.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you have same parameter config under same stanza in /etc/system/local and /etc/app/app_name/local then it will ignore config based on precedence so splunk will use config from /etc/system/local, if you have different stanza or different parameter config under same stanza in /etc/system/local and /etc/app/app_name/local then splunk will merge it.

Reference doc : https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Wheretofindtheconfigurationfiles

prakhersinghal
Explorer

Great. Thanks.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Regarding precedence, /etc/system/local has highest priority not /etc/app/ reference doc. So I'll suggest to deploy deployment config app first time via any other tool/script and after that let splunk deployment server take over that app.

prakhersinghal
Explorer

Thanks. I will edit my reply. Poor mistake.

0 Karma

ddrillic
Ultra Champion

@prakhersinghal. Very dangerous trap - That's because it creates etc/system/local/deploymentclient.conf, which can't be overridden by an app from your DS.

Do your best to avoid it as most implementation overlook the issue ; -)

0 Karma

prakhersinghal
Explorer

Thanks for your reply. Really appreciate it. Please see my comment down.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...