Getting Data In

Will turning on Forwarder Management cause issues with existing forwarders?

jchom
Engager

Hey everyone,

This might be a bit of a silly question, but I've not seen it answered definitively and anyone I have asked regarding this also has not been able to advise.

I am working on fixing a deployment server and re-introducing the forwarder management to a Splunk environment, a previous iteration used it but oddly not the current one. And I was wondering, if I enable Forwarder Management will that cause any issues with already existed forwarders that have some custom stanza's in their inputs.conf (so resetting to a default state or to the state present on the deployment server). Or will that only take place when going through the process of getting server classes set?

Cheers! 

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @jchom,

when you connect a Universal Forwarder to a Deployment Server, that UF can only have the apps configured on the DS.

In other words, if there's alocally manually deployed app, it will be removed when you connect the UF to the DS.

There will be no problems on local configurations (e.g. inputs.conf in local older), but only of deployed apps, if that app wasn'r deployed it will be removed.

This means that, before reintroducing Forwarders Management, you have to plan your deployment, listing on paper (or Excel):

  • all the apps to deploy,
  • all the clients to deploy,
  • the ServerClasses (the correlation table between clients and apps).

Then you can start your Forwarders management.

Ciao.

Giuseppe

View solution in original post

0 Karma

jchom
Engager

Ok, I thought that might be the case. Now I need to make sure that there isn't anything that will cause my ingestion to blow up too much if it gets removed or rewritten.

Thanks for the assist @gcusello 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jchom,

you're always welcome!

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jchom,

when you connect a Universal Forwarder to a Deployment Server, that UF can only have the apps configured on the DS.

In other words, if there's alocally manually deployed app, it will be removed when you connect the UF to the DS.

There will be no problems on local configurations (e.g. inputs.conf in local older), but only of deployed apps, if that app wasn'r deployed it will be removed.

This means that, before reintroducing Forwarders Management, you have to plan your deployment, listing on paper (or Excel):

  • all the apps to deploy,
  • all the clients to deploy,
  • the ServerClasses (the correlation table between clients and apps).

Then you can start your Forwarders management.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...