How to manage Splunk forwarders from a Splunk depl...

Suyalag · ‎08-17-2016

So, I have Splunk Enterprise installed on a VM and it runs fine, but so far I have been upgrading the Splunk forwarders manually. I want to install Splunk on a different VM and manage the forwarders from there. How do I connect this new install of a Splunk deployment server to the one that runs the searches and has all the data? I am new to Splunk, so any help is appreciated.

Thanks!

ddrillic · ‎08-18-2016

One thing to keep in mind that with the new versions of Splunk, you can manage the forwarders from the Distributed Management Console.

For example, you can see a breakdown of the forwarders by version -

s2_splunk · ‎08-18-2016

This part of our documentation should get you started in understanding how the deployment server works.

Any Splunk instance (other then the deployment server itself) that you want to manage is configured to connect to the deployment server via the deploymentclient.conf configuration file.
Deployment clients will periodically connect to the DS to check wether any updated configuration is available, download those updates and apply them locally.
The deployment server will use the configuration file serverclass.conf to map deployment applications to groups of clients based on rules you define.

As long as you can connect from deployment clients to the DS via port 8089, the setup is pretty straightforward.
Please review the documentation linked above and let us know if you have issues.

How to manage Splunk forwarders from a Splunk deployment server installed on a different VM?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...