I have tried to follow the documetation for creating directories and adding the apps, etc.. All I want to do is be able to make a change to inputs.config and outputs.config without having to visit the remote machines. The forwarders are installed and pointing to the main server. One of them even checked in and supposedly updated the APP, however it is not working and the files copied are in a strange location, not mirroring the server side.
I have placed folders with the files I want to update on the forwarders in the following server location. C:\Program Files\Splunk\etc\deployment-apps\MYConfig1 and C:\Program Files\Splunk\etc\deployment-apps\Myconfig2 In those folders are default and local folders, the local folder was created by default and has lock on it and not shared. I tried placing the files in both locations with no change in result.
On the client side, the following is what gets "updated"
In C:\Program Files\SplunkUniversalForwarder\etc*deployment-apps* folder there is nothing. In the C:\Program Files\SplunkUniversalForwarder\etc*apps* folder the Myconfig1 folder does show up with its files. They just don't get used.
In fact, the normal C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf file also appears to have no effect either. I have blanked it out and I still get the inputs that were specified at install in the gui being sent to my indexer.
What is the expected behavior for where to place on the server, where it copies to on the forwarder, and where to check when it does not work?
Apps pushed from the server to the forwarder are supposed to get pushed too
On the server, they are in the deployment-apps folder, but on the forwarder they in the apps folder.
If there is a conflicting inputs.conf file on the forwarder then it can cause you deployed app to be ignored. Input.conf files with conflicting instructions are used according to the ascii search of the file structure.
Which inputs are you getting that you want to stop?
put the apps to deploy on the deployment server (so a real splunk instance)
in the folder
Once deployed to the deployment-clients, they will be copied in the
$SPLUNK_HOME\etc\apps\ and overwrite the existing ones.
OK it looks like they get pushed to the appropriate place as you described. The issue is that they are not taking effect or are overridden. Blanking out the inputs.config in the system/local folder which normally is the one i would edit, does not change the functions at all. On installation I had selected the security,app, and system event logs and added the path to monitor iis logs. The updated config i sent from the deployment server only has inputs for system and app enabled and has the security set to disabled=0 no other entries.
My assumpption is that the forwarder reads the inputs.config in the default folder and then adds whatever you put in the local version and or the apps version. This isn't happening. Note that this server is a free version I am testing before moving my enterprise licensing over. I saw a not that the free version does not support deployment server, but it sure seems like it is trying to work..
Does my "app" need to be called SplunkUniversalForwarder so it matches the "app" that i am trying to update? I'm not really adding an "app" I am simply trying to push the my custom inputs.conf and outputs.conf of the basic forwarder component. I guess that's what I am not understanding. How does it know to apply the conf files universally rather than just when dealing with a certain "app"?
If you want to erase the existing one, yes.
but it's easier to create your own app and push it. It will survive better the upgrade of different instances to different versions. (with a new version of the SplunkUniversalForwarder, and all the defaults that come with it)
My advice :
- reset the SplunkUniversalForwarder on your forwarders to the original one (including the defaults)
- create an app dedicated to your input
- use the deployment-server to push just this one
- make sure that the forwarders restarts
- if the inputs are not working, use the btool command on them to check the configuration precedence, maybe you have a conflict.
Thanks. "- if the inputs are not working, use the btool command on them to check the configuration precedence, maybe you have a conflict."
I think this was the concept i needed. I got a forwarder on a different client to work and update. I am going to remove and reconfigure the first forwarder, as i think I had somehow created a conflict while struggling with it the first time. The btool output showed that my configs were in there, but i think they were overridden by another file I might have borked while troubleshooting.