Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk Deployment App Configurations on Univer...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Deployment App Configurations on Universal Forwarder not Working
I am using a deployment server to push out an "app" that has an input.conf file and output.conf file in the local directory of the app. The app is being pushed out to the clients and the configs look fine; however the config does not seem to be applied. I have a feeling I need to restart the Splunk Forwarder service, but there must be a way to automate this. Having to restart the service on the many servers this app applies to seems silly. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the serverclass.conf file, you can specify that the forward restart after installing a new (or updated) app. You can set this at the global level, for a serverclass, or for an app+serverclass combination:
[global]
restartSplunkd = true
[serverClass:MyServerGroup]
restartSplunkd = true
[serverClass:MyServerGroup:app:MyExampleApp]
restartSplunkd = true
Obviously, choose the level that works best for you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this configured, I think the problem might be else ware. It seems to me that the config is just not applying.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever get a resolution on this? I'm experiencing the same thing. I have two tomcat servers with forwarders configured as deployment clients. Both accepted the deployment app, but neither would forward anything or even acknowledge the monitor stanza in the inputs.conf.
I took the inputs.conf out of the app folder on one of the forwarders and copied it into the etc/system/local folder, restarted the forwarder and it started working! So why is the same inputs.conf working in etc/system/local but not etc/apps/tomcat/local?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, I just upgraded my forwarders from 6.4.1 to 6.5.0 and the problem went away. My forwarders are now acknowledging the deployed apps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that the globals, I don't believe, are supported by the Forwarder Management pages in Splunk 6+.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
