Solved: Set the tcpout server via the CLI at installation

damian_ingenie_ · ‎01-19-2015

Im using powershell to install universal forwarders on the new machines that im spinning up using the following command:

cmd /c "msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER='simdc01:9997' MONITOR_PATH='c:\logs' PERFMON=cpu,memory,network,diskspace /quiet"

But this does not create an outputs.conf file containing the tcp settings so im doing this in powershell to manually create the file needed

$outputsConfString = @"
[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = simdc01:9997
"@

New-Item "C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf" -type file -force -value $outputsConfString

My question is, is there a way to do this via the CLI or am i stuck with this hack?
It feels wrong to have to hack files in this way when there is tooling provided to automate things.

trsavela · ‎01-19-2015

This should do the trick.

./splunk add forward-server <indexer>:port -auth admin:password

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/CLIadmincommands

View solution in original post

thomrs · ‎01-19-2015

If you have a lot of forwarders best to push configs with a deployment server. This approach let's you keep all your configs in one place. I even use the DS to manage multiple indexers.

http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Aboutdeploymentserver

trsavela · ‎01-19-2015

This should do the trick.

./splunk add forward-server <indexer>:port -auth admin:password

http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/CLIadmincommands

damian_ingenie_ · ‎01-19-2015

Spot on, thanks

MuS · ‎01-19-2015

Ok tried it myself with the file splunkforwarder-6.2.1-245427-x64-release.msi and the following command:

msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi RECEIVING_INDEXER="foo:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet

this adds in $SPLUNK_HOME/etc/system/local/outputs.conf this entry:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = foo:9997

[tcpout-server://foo:9997]

Maybe you need to download a fresh copy of the msi or you found a bug 😉

MuS · ‎01-19-2015

you should be able just to provide the RECEIVING_INDEXER http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/RemotelydeployaWindowsdfwithastaticconf... during initial install as well ... but it is not honored in this case....

damian_ingenie_ · ‎01-19-2015

as you can see from my example command line in the question RECEIVING_INDEXER is there, but it does not work... none of the outputs.conf files are modified with that switch. which is what has lead me to ask this question.

Set the tcpout server via the CLI at installation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation