Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Will turning on Forwarder Management cause issues with existing forwarders?

jchom
Engager
‎11-03-2022 10:25 PM

Hey everyone,

This might be a bit of a silly question, but I've not seen it answered definitively and anyone I have asked regarding this also has not been able to advise.

I am working on fixing a deployment server and re-introducing the forwarder management to a Splunk environment, a previous iteration used it but oddly not the current one. And I was wondering, if I enable Forwarder Management will that cause any issues with already existed forwarders that have some custom stanza's in their inputs.conf (so resetting to a default state or to the state present on the deployment server). Or will that only take place when going through the process of getting server classes set?

Cheers! 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 12:36 AM

Hi @jchom,

when you connect a Universal Forwarder to a Deployment Server, that UF can only have the apps configured on the DS.

In other words, if there's alocally manually deployed app, it will be removed when you connect the UF to the DS.

There will be no problems on local configurations (e.g. inputs.conf in local older), but only of deployed apps, if that app wasn'r deployed it will be removed.

This means that, before reintroducing Forwarders Management, you have to plan your deployment, listing on paper (or Excel):

  • all the apps to deploy,
  • all the clients to deploy,
  • the ServerClasses (the correlation table between clients and apps).

Then you can start your Forwarders management.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jchom
Engager
‎11-07-2022 08:50 PM

Ok, I thought that might be the case. Now I need to make sure that there isn't anything that will cause my ingestion to blow up too much if it gets removed or rewritten.

Thanks for the assist @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2022 11:43 PM

Hi @jchom,

you're always welcome!

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2022 12:36 AM

Hi @jchom,

when you connect a Universal Forwarder to a Deployment Server, that UF can only have the apps configured on the DS.

In other words, if there's alocally manually deployed app, it will be removed when you connect the UF to the DS.

There will be no problems on local configurations (e.g. inputs.conf in local older), but only of deployed apps, if that app wasn'r deployed it will be removed.

This means that, before reintroducing Forwarders Management, you have to plan your deployment, listing on paper (or Excel):

  • all the apps to deploy,
  • all the clients to deploy,
  • the ServerClasses (the correlation table between clients and apps).

Then you can start your Forwarders management.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...