Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit outputs.conf for universal forwarder in linux

raghu0463
Explorer
‎07-23-2017 06:36 PM

Hi,

I was trying to edit outputs.conf for universal forwarder, but when i was searching for outputs.conf file in

etc/system/local
i can see only README
inputs.conf
server.conf
deploymentclient.conf

does it means i need to change outputs.conf in deployment server ? if i need to change it in deployment server do i need change in an app ? if so what is the exact path that i can edit outputs.conf for the forwarder in deployment server please.

Thanks

0 Karma
Reply

sarvesh_11
Communicator
‎04-04-2019 02:15 AM

Hi @raghu0463 ,

If you are unable to find, outputs.conf in system\local, then it might happen, while installing Universal Forwarder you have not mentioned Indexer's IP, when it pop-up for that.
You can edit outputs.conf @ /opt/splunk/etc/deployment-apps//local/outputs.conf. Remember this will be for the app, if you want for system, then you can create outputs.conf in universal forwarder and give indexer's IP with port. Hence \etc\system* does not sync with Deploymentclient

Bye,
Sarvesh
Keep Splunking

0 Karma
Reply

sarvesh_11
Communicator
‎08-05-2019 01:58 AM

@raghu0463
plz upvote the comments are helpful 🙂

0 Karma
Reply

bheemireddi
Communicator
‎07-25-2017 04:36 AM

raghu0463

It is easy to identify if the forwarder connected to the Deployment server or not. follow the below steps, assuming you have the deployment server configured in your environment.
1. You did see deploymentclient.conf under system/local on the forwarder, Do you see the forwarder pointed to the right deployment server? another place to check for the deploymentclient.conf is $SPLUNK_HOME/etc/apps on the forwarder
2. Grab the IP or the hostname of the forwarder, login to the deployment server UI->settings->forwarder management->under clients tab-> try to search for the IP or the hostname of the forwarder
3. If you don't see the expected details from the above steps, first you need to fix the connectivity between the deployment server and the forwarder
4. If you have the deployment server in the environment, best practice is to always deploy the configurations from the deployment server. Place to edit the configurations on the deployment server is $SPLUNK_HOME/etc/deployment-apps. Edit or create your outputs.conf in an app under deployment-apps and configure the server classes appropriately.
5. Now run the command "$SPLUNK_HOME/bin/splunk reload deploy-server" on the deployment server and you should see the configurations deployed under $SPLUNK_HOME/etc/apps on the forwarders

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-24-2017 02:23 AM

is this a production system or some testing systems?
on production systems, you should be having an app/or some procedure already for outputs.conf.
guessing this as a recent fresh UF installation, maybe, you need to add this UF to a server classs, so that the app's related to the server class will be deployed this UF. please provide some more details.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

ddrillic
Ultra Champion
‎07-24-2017 07:23 AM

-- on production systems, you should be having an app/or some procedure already for outputs.conf.

No doubt.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-24-2017 01:38 AM

Hi raghu0463,
the best way to manage outputs.conf of forwarders using a Deployment Server is to create a dedicated TA containing your outputs.conf and deploy it to all Forwarders using Deployment Server.
Remember to delete outputs.conf from $SPLUNK_HOME/etc/system/local because files in this folder are out of Deployment Server Management.
Bye.
Giuseppe

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-24-2017 12:48 AM

If a UF is under deployment server control then never ever edit config files on the universal forwarder directly. Always go through the deployment server.

By default, you'll find the deployment apps on the deployment server in /opt/splunk/etc/deployment-apps. Check the serverclasses for that particular forwarder to get the list of apps it receives, and check those apps for an outputs.conf.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-25-2017 05:14 AM

You can run this on the CLI of the forwarder: splunk show deploy-server, or splunk btool --debug deploymentclient list, or look at all deploymentclient.conf files (start with etc/system/local).

0 Karma
Reply

raghu0463
Explorer
‎07-24-2017 06:38 PM

I'm sorry actually I asked the question in bit different way, I was trying to find outputs.conf in the server where forwarder is installed in the path etc/system/local but I could see only these files

README
inputs.conf
server.conf
deploymentclient.conf

and I'm bit confused whether this forwarder is connected to a deployment server or not, is there any way that I can find this forwarder is connected to deployment server, so that I can directly go to deployment server and edit the outputs.conf of this forwarder.

Thanks

0 Karma
Reply

bheemireddi
Communicator
‎07-25-2017 03:56 AM

It is easy to test if that forwarder connected to the deployment server already or not. Follow these steps, assuming you did configured the deployment server in your environment.

  1. You did see deploymentclient.conf under system/local on the forwarder - what is in there? verify it is infact talking to the deployment server. If you don't see much details under system/local, then the next bet would be etc/apps - you might have an app for the deploymentclient.conf
  2. Grab the IP or the hostname of the forwarder and login to the deployment server->settings->forwarder management->under clients tab->search for the IP or the hostname of the UF - this will show up the details for the UF if it was talking to the Deployment server
  3. If you don't see the expected details in the above steps, you should probably fix the connectivity between the Deployment server and UF as the first step
  4. Once you have deployment server configured in your environment, it is a best practice you deploy all the configurations from there. Place to find/edit those configurations on the deployment server is $SPLUNK_HOME/etc/deployment-apps and make sure you have the right serverclass.conf configured.
  5. Edit the output.conf on the Deployment server ($SPLUNK_HOME/etc/deployment-apps) and then run the "reload" command and you should see configurations on the connected forwarders under $SPLUNK_HOME/etc/apps
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top