Is it possible to set up deploymentclient.conf parameters via the command line?
I have used DEPLOYMENT_SERVER parameter during forwarder installation via the command line. It adds the target-broker, but I am looking for a command line option to set the parameters like below:
[deployment-client] disabled = false phoneHomeIntervalInSecs = 1800 handshakeRetryIntervalInSecs = 12
Does anybody know how to do it?
Use the command line you're currently using. Then have your deployment server push an app that contains a deploymentclient.conf file with the desired settings.
I'd even go a step further and say you shouldn't use the
deploy-poll CLI command option. That's because it creates etc/system/local/deploymentclient.conf, which can't be overridden by an app from your DS. A better process is to install the vanilla UF then copy your deployment client app only to the etc/apps directory. Restart the forwarder and it will connect to your DS to get the rest of its apps.
@prakhersinghal. Very dangerous trap - That's because it creates etc/system/local/deploymentclient.conf, which can't be overridden by an app from your DS.
Do your best to avoid it as most implementation overlook the issue ; -)
Thanks for your reply. Really appreciate it. Please see my comment down.
Thanks for your reply and suggestion. Really appreciate it.
I am not using "deploy-poll" to set deployment manager rather I set deployment manager during UF installation which still creates deploymentclient.conf in /etc/system/local.
splunkforwarder-xxx-xxx.msi INSTALLDIR="C:\dir" AGREETOLICENSE=Yes DEPLOYMENT_SERVER="Dep_Server:8089" SERVICESTARTTYPE=auto /quiet
I have used the same method for thousands of servers during Splunk rollout so that they can report to DS and I can assign server class and app to clients. But, Splunk scope has increased and now I have ~ 6000 servers reporting to one DS which makes DS UI unresponsive and it's difficult to deploy the app.
I am building a few more DS to distribute the load and also wants to increase the PhoneHomeInterval to reduce client checking app update every minute.
If I just go for vanilla UF install and don't set Deployment Server during install, the client server will not report to DM & I will have to push deployment client config using configuration mgmt or manually.
If I keep the same install process intact and when a client reports to DS, I assign the deployment app via DS which will go to /etc/app directory. There will be two deploymentclients.conf and as per precedence, the /etc/app configuration will take charge.
Is this a good way to do these changes or anything that you can suggest?
Sorry about the long message & thanks for your time on helping in this.
/etc/system/local has highest priority not
/etc/app/ reference doc. So I'll suggest to deploy deployment config app first time via any other tool/script and after that let splunk deployment server take over that app.
Thanks. I will edit my reply. Poor mistake.
We are using a install package after the uf installation so the UF get the right config. Its basicly and extra rpm package with some scripts that are executed depending on the host and enviroment (10 000+ UFs currently up and running and its the best and most secure way we found so far, but open for better solutions!)
Thanks. That's an option. I think @richgalloway suggested a similar approach and looks like the best one.
One thing I have not tested is that if I have 2 different set of configs:
1) one in "/etc/system/local" deploymentclient.conf
2) Seconds in "/etc/app/app_name/local" deploymentclient.conf
Will Splunk merge it or just ignore the lower precedence config? I will test it but in case anyone knows.
If you have same parameter config under same stanza in
/etc/app/app_name/local then it will ignore config based on precedence so splunk will use config from
/etc/system/local, if you have different stanza or different parameter config under same stanza in
/etc/app/app_name/local then splunk will merge it.