Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How is deployment of universal forwarders on A...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is deployment of universal forwarders on AWS servers being done? Ideas needed.
Hello
Since many companies are moving towards cloud based servers how can we handle splunk UF deployment on cloud servers which come and go all the time? We were able to deploy the UF and send a linux app to them which works fine. But how are people deploying application related configs?
Since its not a standalone box, they have to automatically get the apps defined in serverclass. How are Splunk Admins handling this? Lets say a new box is spun up and it has 4-5 applications installed on it by the Unix team. How do you tell your UF to update itself with the configs for those applications?
We are trying out a method of tagging each application and using clientName to do this ( which has to be updated when ever a new application is installed). Any other ways people are doing it. Please share your views and ideas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"We are trying out a method of tagging
each application and using clientName
to do this ( which has to be updated
when ever a new application is
installed)."
You shouldn't need to add clientNames for already existing classes for new apps. Just add an extra line into the same class pointing at the new app name(you don't need an extra class per app!).
Define your classes using wild cards and you can mix and match your apps based off a combination clientname.
Example classes.
You could have separate classes with separate apps or combine them into groups.
[serverClass=linux]
blacklist.0= *
whitelist.0=linux_*
[serverClass:linux:app:Splunkfornix]
[serverClass:linux:app:someothernix_app]
[serverClass=web_server]
blacklist.0= *
whitelist.0=*_web_server
[serverClass:web_server:app:Splunkforapache]
[serverClass:web_server:app:someotherweb_app]
[serverClass=database]
blacklist.0= *
whitelist.0=*_database]
[serverClass:database:app:SplunkforOracle]
[serverClass:database:app:someotherdb_app]
server #1 clientName "linux_web_server"
Apps.
Splunkfornix
someothernix_apps
Splunkforapache
someotherweb_app
server#2 clientName "linux_database"
Apps
Splunkfornix
someothernix_apps
SplunkforOracle
someotherdb_app
You can do as many of these as you like so you can use the clientName as the key to what groups of apps you get.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
clientName or using a well defined hostname pattern you can match on is the best way to automatically assign apps. So best to ensure your systems set a good fqdn hostname prior to first time Splunk runs. Otherwise the current hostname at the time gets cached in $SPLUNK_HOME/etc/system/local/inputs.conf in the default stanza. You would need to update that and restart the UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 to the clientName option.
We also use clientName filtering. Aslong as the deployment client gets the deployment server ip and a matching client name then they will get all the appropriate apps. You can add as many clients as you want without having to make any deployment server changes. This is by far the fastest & simplest method for deployment.
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
