Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting configuration for forwarder

trflesher
Explorer
‎01-30-2014 09:45 AM

“I am working with a customer who is a licensed and valid support contract holder with Splunk. They are currently running a forwarder within their XenServer environment on Linux (CentOS). We were trying to migrate the machine to VMware ESXi but have experienced issues with the conversion process.

We plan to build a new Windows based server instead for the forwarders; however, are unsure how to get configuration data out of their current forwarder to the new one.”

Tags (1)
0 Karma
Reply

rajneeshsaraswa
New Member
‎04-11-2016 04:18 AM

Hi,
Is it possible if you any details how to configure the splunk in Xenserver.
I am almost novice to Xenserver and Splunk.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-30-2014 12:29 PM

You can stay with CentOS if you like, or you can use Windows. Either way, the first step is to install the Splunk Universal Forwarder on the machine http://www.splunk.com/download/universalforwarder

If you still have access to the old CentOS VM, you can copy the configuration from it to your new machine.

By default, the Splunk Universal Forwarder will install to /opt/splunkforwarder on CentOS. All the XenServer configuration files will be located at /opt/splunkforwarder/etc/apps/TA-XS60-Server. Just copy this entire folder to your new machine.

If you are going to use Windows instead of CentOS, you will need to modify the inputs.conf file located in this folder. You need to change all the forward slashes "/" to backslashes "\"

Reply

lguinn2
Legend
‎01-31-2014 02:17 PM

Just a note: since Splunk runs a service on Windows boxes, there is no need for something like "boot start"

0 Karma
Reply

lguinn2
Legend
‎01-31-2014 02:16 PM

And reinstall Splunk, of course - the Windows binaries are different! But if you re-install Splunk over an existing installation, it should preserve all the customer configurations. [Unless they broke the rules and edited files in the default folders.... 😞 ]

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-31-2014 11:55 AM

Once you copy the files and folders onto your Windows box under %ProgramFiles%\Splunk\etc\apps, you may need to change the forward slashes "/" in the various inputs.conf files to back slashes "\". That is really all you need to do.

0 Karma
Reply

trflesher
Explorer
‎01-31-2014 11:18 AM

So the customer would like to eliminate Linux now and just use Windows. They already have Windows boxes running splunk for other things. I have been able to copy all the files from the splunk home folder on the CentOS vm. How would I get one of the existing windows servers to recognize that config and perform the functions that were on the CentOS box? Is this possible? Thanks!!

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-30-2014 12:46 PM

If you do not want to monitor XenServer, then no, you do not need to worry about the XenServer configuration files. If you do still want to monitor XenServer pools, then you can copy the XenServer configuration files anywhere you have a universal forwarder that can reach the XenServer pool master via TCP/IP - it doesn't matter where the XenServer collector actually "lives".

0 Karma
Reply

trflesher
Explorer
‎01-30-2014 12:39 PM

A huge thank you to both lguinn and Jason (jconger) on this!! I appreciate it very much.

So I am assuming since the new CentOS vm will be running in VMware instead, I don't need to worry about the XenServer configuration files? Just double checking before I hopefully wrap up getting this going.

0 Karma
Reply

lguinn2
Legend
‎01-30-2014 10:26 AM

It is easy enough to grab the configuration data, but you have to know how the forwarder is configured 🙂

All Splunk configuration files are simple text. If Splunk is installed in the $SPLUNK_HOME directory, all configuration files can be found under $SPLUNK_HOME/etc However, this includes default configurations as well, which you should NOT copy from installation to installation - especially across OSes. When you look at the directory structure beneath $SPLUNK_HOME/etc, you will see a lot of folders named default that contain those default configurations. Under $SPLUNK_HOME/etc/apps you may also see entire apps (sets of configuration files) that will not be appropriate for the new environment.

OTOH, if the customer is using the Splunk Deployment Server to configure their forwarder(s), you just need to change the settings on the Deployment Server.

Also, I feel compelled to ask, why change the underlying OS? It complicates the conversion in more ways than one, and it costs more for the OS license (Splunk doesn't care). In the most common case, the Splunk forwarder runs on a production machine to collect and forward local data. Obviously, OS is determined by the production machine (web server, db server, etc etc). In this case, it sounds like the Splunk forwarder is the main service provided by the server - and you should be able to use any supported OS.

Finally, it actually doesn't matter if the customer has a support contract or not. The configuration files, etc, all work the same (especially for forwarders) regardless of the license. But it does mean that you can contact Splunk Support with specific questions about this migration!

Reply

lguinn2
Legend
‎01-31-2014 02:14 PM

Just move over the $SPLUNK_HOME; no install needed

the only thing you probably should do after that, is this command

sudo $SPLUNK_HOME/bin/splunk boot enable boot-start -user splunkX

where splunkX is the Linux account name that is running Splunk. This sets Splunk to start at boot. More info here

http://docs.splunk.com/Documentation/Splunk/6.0.1/admin/ConfigureSplunktostartatboottime

0 Karma
Reply

trflesher
Explorer
‎01-30-2014 12:20 PM

Hmmm .. definitely open to try that. Is there any type of "install" we have to run ahead of time on the new CentOS VM built from scratch specific to Splunk? Or do I just need to move over that $SPLUNK_HOME ?

0 Karma
Reply

lguinn2
Legend
‎01-30-2014 10:51 AM

Sounds like a good enough reason to me. 🙂

Although if you build a new CentOS VM from scratch, you could simply copy $SPLUNK_HOME to the new machine.

Splunk does not spray stuff around the disk. tar up $SPLUNK_HOME on the old box and move it to the other - as long as they are both CentOS, you are fine.

0 Karma
Reply

trflesher
Explorer
‎01-30-2014 10:34 AM

Thanks!! As far as OS goes, the challenge was converting the machine "as is" from a Xenserver vm to vmware vm. This was what we planned to do. Since it didn't work and all efforts to get around the problem of converting the CentOS were exhausted, we headed down this path. The customer has very limited knowledge on the CentOS itself and the implementation, so it's about supportability more than anything.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...