Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help modifying inputs.conf on several clients

tam82
Explorer
‎01-26-2022 02:37 PM

how can I pull and modify the inputs.conf file on over 2000+ universal forwarders?

Can I do this by running a script  that I create in an app and deploy through Deployment server? 

 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 06:51 AM

Hi @tam82,

putting configurations in system/local is a solution for a lab because it's quick but not useful in a production environment because configuration in system/local cannot be automatically updated by the DS.

So it's better to put all the configuration files (also outputs.conf and deploymentclient.conf) in a dedicated Add-On (called e.g. TA_Forwarders) to deploy using the Deployment Server in all client.

If you already have in your installation some configuration file in system/local, you have to do the following steps:

  • create a new TA containing at least outputs.conf and deploymentclient.conf and all the configuration files you need (not server.conf!),
  • deploy it on all your clients using DS,
  • remove configuration files from system/local using a script.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-26-2022 11:19 PM

Hi @tam82,

there's something that I don't understand:

you have an active Deployment Server, is it correct?

why don't you use it to deploy inputs.conf file in an app to all the Forwarders?

It's it's own role!

Could you better describe your need?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

tam82
Explorer
‎01-27-2022 06:07 AM

I thought there were settings you could only set in the /system/local area.   like the base output file 

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎01-27-2022 06:56 AM

There must be an app on your DS which has those inputs. modify the inputs and redeploy using 

$Splunk_Home/bin/splunk reload deploy-server.  or let the forwarders sync with DS and get the new copy of app. 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 06:51 AM

Hi @tam82,

putting configurations in system/local is a solution for a lab because it's quick but not useful in a production environment because configuration in system/local cannot be automatically updated by the DS.

So it's better to put all the configuration files (also outputs.conf and deploymentclient.conf) in a dedicated Add-On (called e.g. TA_Forwarders) to deploy using the Deployment Server in all client.

If you already have in your installation some configuration file in system/local, you have to do the following steps:

  • create a new TA containing at least outputs.conf and deploymentclient.conf and all the configuration files you need (not server.conf!),
  • deploy it on all your clients using DS,
  • remove configuration files from system/local using a script.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

tam82
Explorer
‎01-27-2022 08:10 AM

How do you create the add-on, and if you have not deployed the deploymentclient.conf on install how does the UF know about the deployment server

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 08:30 AM

Hi @tam82,

I created an app called TA_:Forwarder with the usual structure of each Splunk app (folders: bin, Default, local and metadata).

Then in the default folder I added two files: outputs.conf and deploymentclient.conf.

If you want, you can also use the Splunk Add-On Builder App (https://splunkbase.splunk.com/app/2962/) that's very useful.

About the first installation I teached the customer specialists to copy the TA_Forwarder in $SPLUNK_HOME/apps on a machine and restart Splunk, in this way the client is connected with the Deployment Server

Remember, before everything, to create a ServerClass containing all the clients to deploy the TA_Forwarder App, otherwise, at the first connection, the manually copied app id deleted by the DS.

If you already have deploymentclient.conf and outputs.conf in system/local, you have to run a script to delete these files and restart Splunk after TA_Forwarders deployment.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

tam82
Explorer
‎01-27-2022 07:00 AM

Thank you 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 07:02 AM

Hi @tam82,

tell me if you need more infos or if the answer solves your question, in this case, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...