My Splunk Forwarder is installed on a share, which can be mapped to all the servers in my environment. Therefore, I am wondering if it is possible to use binaries out this common location, but have configs installed elsewhere, locally on each server. If so, I would not need to worry about deploying Splunk Forwarders to all the servers, I will be simply pushing configs as needed.
Is it possible to define a custom location for Universal Forwarder local configs (.../etc/system/local)? For example, set this as an ENV variable prior to starting the forwarder, or maybe passing-in this location as an argument, such as:
No, Splunk does not support a custom location for universal forwarder local configs or Splunk logs.
In fact, to push configurations (and add-ons) to multiple forwarders, you should set up a deployment server to do exactly this.
The documentation provides very detailed information and instructions about forwarder management using a deployment server: http://docs.splunk.com/Documentation/Splunk/6.5.1/Updating/Aboutdeploymentserver