We are at a phase where we need to deploy universal forwarder setup through Tivoli Endpoint Manager (TEM) over multiple servers.
However, for deploying through Tivoli, we need to create fixlets.
Is there any way to get the batch file from the Splunk Universal Forwarder or is there any other method to give it a try?
Many have used scripts such as: https://answers.splunk.com/answers/34896/simple-installation-script-for-universal-forwarder.html
Here is how you can create a system image of Splunk:
Perhaps this can help you since I don't have access to Tivoli.
Hi dmaislin ,
Thnaks for the response was a great hepl
Manged to deploy it by tivoli
However We deployed Splunk universal forwarder through tivoli which was pointing to the deployment server. On deploying it we found out that there is a inputs.conf getting created in local folder with only the hostname.
We deployed Splunk-TA-Winodows through deployment server.
Using a batch file we appended the inputs.conf host data form system/local to Splunk-TA-Windows/local/inputs.conf and deleted the inputs.conf and restarted splunkd. All worked fine.
Now we have the Splunk-TA-Winodws deployed through deployment servrer, when the client phones home it removes the hostname as there and keeps the conf file present in the deployment app?
How can i add the host details in splunk without getting it override ?
I have 100 servers in all and want the hostname of each present in the inputs.conf of the TA ?
You didn't prepare your system image that gets deployed correctly if there is a local folder that contains a system/local/inputs.conf with:
host = somehostname.here.com
If you follow these instructions:
Then you would prepare your image once it is setup correctly, and the command:
Run ./splunk clone-prep-clear-config.
Would clear out the inputs.conf in local. You don't need it since that inputs.conf will get created the moment the forwarder that gets deployed and starts up for the very first time.
If you're deploying Splunk_TA_windows through Deployment Server, it will control the whole app. However, any settings that you put in etc/system/local/inputs.conf will be merged with what's in the app and take precedence in the case of a conflict. Therefore, putting the hostname in etc/system/local/inputs.conf should do exactly what you want. You can always create local apps that aren't managed by Deployment Server, too, but in this particular case it's probably appropriate to use etc/system/local/inputs.conf.
For reference, details about configuration precedence are available at http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Wheretofindtheconfigurationfiles and "precedence order within global context" applies to your situation.