Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Will turning on Forwarder Management cause issues with existing forwarders?

jchom
Engager
‎11-03-2022 10:25 PM

Hey everyone,

This might be a bit of a silly question, but I've not seen it answered definitively and anyone I have asked regarding this also has not been able to advise.

I am working on fixing a deployment server and re-introducing the forwarder management to a Splunk environment, a previous iteration used it but oddly not the current one. And I was wondering, if I enable Forwarder Management will that cause any issues with already existed forwarders that have some custom stanza's in their inputs.conf (so resetting to a default state or to the state present on the deployment server). Or will that only take place when going through the process of getting server classes set?

Cheers! 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 12:36 AM

Hi @jchom,

when you connect a Universal Forwarder to a Deployment Server, that UF can only have the apps configured on the DS.

In other words, if there's alocally manually deployed app, it will be removed when you connect the UF to the DS.

There will be no problems on local configurations (e.g. inputs.conf in local older), but only of deployed apps, if that app wasn'r deployed it will be removed.

This means that, before reintroducing Forwarders Management, you have to plan your deployment, listing on paper (or Excel):

  • all the apps to deploy,
  • all the clients to deploy,
  • the ServerClasses (the correlation table between clients and apps).

Then you can start your Forwarders management.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jchom
Engager
‎11-07-2022 08:50 PM

Ok, I thought that might be the case. Now I need to make sure that there isn't anything that will cause my ingestion to blow up too much if it gets removed or rewritten.

Thanks for the assist @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 11:43 PM

Hi @jchom,

you're always welcome!

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 12:36 AM

Hi @jchom,

when you connect a Universal Forwarder to a Deployment Server, that UF can only have the apps configured on the DS.

In other words, if there's alocally manually deployed app, it will be removed when you connect the UF to the DS.

There will be no problems on local configurations (e.g. inputs.conf in local older), but only of deployed apps, if that app wasn'r deployed it will be removed.

This means that, before reintroducing Forwarders Management, you have to plan your deployment, listing on paper (or Excel):

  • all the apps to deploy,
  • all the clients to deploy,
  • the ServerClasses (the correlation table between clients and apps).

Then you can start your Forwarders management.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...