Solved: Client Phone home Search Head instead of Deploymen...

Vivek · ‎06-18-2025

Hello,

I had set up a Distributed Search setup in VirtualBox with a Search Head, indexer and Deployment Server.

Initially the forwarders were showing up in the deployment server as phoned home. But after restarting I see that no clients are coming up in DS, instead they are showing up in the Search Head's Forwarder Management.

I checked the deploymentclient.conf and the IP points towards the Deployment Server.

I tried removing the deployment-apps in Search Head and restarting but I think as it's in a Distributed Search mode the folder is automatically getting created.

isoutamo · ‎06-18-2025

Hi

have you look this https://docs.splunk.com/Documentation/Splunk/9.4.2/Updating/Upgradepre-9.2deploymentservers ?

There was some changes on 9.2 how DS has stored client information.

This leads also in situation where you see those deployment clients on your SH as it get that information from your indexer's indexes (I suppose that you have forwarded all logs to indexer).

r. Ismo

View solution in original post

Vivek

Hi,

Sorry for the delay in reply.
Thanks this solution. I also found another link which provided similar solution.

Clients are missing from Forwarder Management display after upgrade to Splunk 9.2.x

Basically modifying the outputs.conf with the below stanzas and restarting splunk fixed the issue.

[indexAndForward]
index = true
selectiveIndexing = true

[tcpout]
indexAndForward = false
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent)

sainag_splunk · ‎06-18-2025

@isoutamo is exactly right about the 9.2 changes! To help troubleshoot this further, you should check a few things to understand why the forwarders aren't connecting properly to the DS. Start by testing connectivity from each forwarder using telnet or netcat to make sure they can actually reach the deployment server on port 8089.

Next, examine your serverclass.conf on the Deployment Server to verify that your forwarders match the whitelist criteria and that the client matching is configured properly. Many times the issue is that the serverclass isn't set up to recognize your specific forwarders.

On the forwarder side, run btool deploymentclient to see what configuration is actually being applied. This will show you if there are any conflicting settings or if the deploymentclient.conf isn't pointing where you expect it to.

If your deployment server is forwarding its internal logs to your indexer, you might also need to add the indexAndForward settings in outputs.conf on the DS, as this can affect how deployment client data appears in the management UI after 9.2.

Just to confirm, are you also managing your Search Head and indexer through the Deployment Server? And is this truly a distributed setup with separate VMs, or multiple Splunk instances on one box? That architecture detail might help explain what you're seeing.

If this Helps Please Upvote!

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

isoutamo · ‎06-18-2025

Hi

have you look this https://docs.splunk.com/Documentation/Splunk/9.4.2/Updating/Upgradepre-9.2deploymentservers ?

There was some changes on 9.2 how DS has stored client information.

This leads also in situation where you see those deployment clients on your SH as it get that information from your indexer's indexes (I suppose that you have forwarded all logs to indexer).

r. Ismo

Client Phone home Search Head instead of Deployment Server

other

search head

universal forwarder

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?