https://community.splunk.com/t5/Monitoring-Splunk/Where-can-I-find-update-interval-for-Universal-For... 😛

Hi @Alberto_Astolf1 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

P.S.: Sign in to the Splunk Italia User group: https://usergroups.splunk.com/italia-splunk-user-group/

With the latest splunk version it’s denied to run it as a root! You must use that way what @PickleRick already showed to you.
If UF load the new package from DS, but didn’t take it into use, it quite obvious that your configuration missed restart UF parameter on serverclass configuration file.

Of course. It has nothing to do with communication to DS but it's a good practice to use least privileged user.

See

https://help.splunk.com/en/splunk-cloud-platform/forward-and-process-data/universal-forwarder-manual...

(for older UF versions you had to grant splunkd the CAP_DAC_READ_SEARCH manually, with modern releases I think it's by default when you enable boot-start using systemd)

Thank you @kknairr 

It seems to not work as expected, because I have the issue I reported in the other reply.

 

@Alberto_Astolf1 Okay, couple of things which might be worth checking in that case.

• Make sure the modified inputs.conf  is in the correct directory (local vs default) within the app. Misplaced files can prevent the DS from packaging them correctly.
• Confirm that the forwarders not reflecting updates are still members of the intended server class. If they’re not, they won’t receive the updated app.
• Check the logs in $SPLUNK_HOME/var/log/splunk/splunkd.log on the DS for DeploymentServer activity to confirm it registered the app change and attempted distribution.
• On the UF side, look in splunkd.log for deployment entries. If you see regular phone‑home messages but no app update, that suggests the DS didn’t flag the app as changed.

If you're unable to figure out still, highly recommend raising a support case with the Splunk support by providing them related log files for effective troubleshooting.

>>

If this post addressed your question, you can:

• Give it karma to show appreciation 👍
• Mark it as the solution if it solved your issue ✔️
• Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

Hi @gcusello ,
the issue is the following.
I have one app that is distributed to various UF through a specific Server Class.
This app have the input.conf file that I modified (I added more monitor sections).
This app is here from several weeks, and I just changed it.
This change is not propagated to the UF.
I didn't modified the update interval, so I'm expecting that after 60 seconds the UF have the new input.conf file.

Thanks

Hi @Alberto_Astolf1 ,

let me understand: was the app not deployed to the client or was it deployed but it doesn't run?

in the second case, did you remember to add the restart of splunkd on the UF?

Anyway, if you have many clients, each one has to wait for more than 60 seconds.

Ciao.

Giuseppe

Hi @gcusello ,
the app has been here for a few weeks. It was deployed correctly. 

Today I made some changes to the input.conf file within the app.

However, these changes are not reported in the UF.

Ciao,
Alberto

 

Hi @Alberto_Astolf1 ,

checking in the DS, do you see that apps are all deployed to the client?

please manually check if the updates are present on the UF and try to manually restart the UF.

Are you speaking of w Windows or Linux DS and Client?

Ciao.

Giuseppe

Hi @gcusello ,
yes, from the DS web UI I see that the app is successfully deployed. I also see that "Last load time" is the Mar 13. 

In the UF system, I see the app in the ./etc/apps/<appname> location.

It seems that the DS doesn't recognize that I modified the app.

The DS and the UF are both on a Linux. I modified the app directly editing the files inside the ./etc/deployment-apps/<appname>/local/ directory. 

Ciao,
Alberto

Wait a second. You edited the app on DS in etc/deployment-apps but did you do

splunk reload deploy-server

 

Hi @Alberto_Astolf1 ,

Did you directly checked if the add-on was updated on the client?

did you tried to restart Splunk on the UF?

what's the owner of the files in ./etc/apps/<appname> location ?

Ciao.

Giuseppe

Hi @gcusello ,

the app is not updating on the client (this is the main issue that I'm facing).

Ideally, I would like the changes to be propagated automatically so that I don't have to restart the UF manually every time I make changes.

All files are owned by root, and UF also runs as root.

Ciao,
Alberto

Hi @Alberto_Astolf1 ,

it isn't a best practice to run Splunk as root for security reasons.

Anyway, as I said, remember to setup splunkd retart for your app.

Only for test, try to restart Splunk on your UF to see if that is the issue.

Ciao.

Giuseppe