Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Pointing universal forwarder to new deployment server

munazir
Engager
‎06-10-2013 11:37 PM

I have installed new Splunk deployment server. I would like to point the universal forwarder resides on client to the newly installed Splunk deployment server. Where do I edit?

\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf or output.conf?

Tags (1)
Reply

kristian_kolb
Ultra Champion
‎06-11-2013 12:04 AM

deploymentclient.conf is where you instruct a Splunk Forwarder where to look for its configurations. Just make sure that you have the right applications/serverclass memberships configured on the new deployment server before you make the switch.

outputs.conf is where the Splunk stores configurations regarding where to send events. It is not uncommon to deploy the outputs.conf as an application through the deployment server. NB: if you do, then that outputs.conf will land in $SPLUNK_HOME/etc/apps/your_app_name/local_or_default/outputs.conf. This location has lower precedence than $SPLUNK_HOME/etc/system/local, so ensure that you don't have conflicting configuration there.

UPDATE:

There seems to some confusion regarding concepts. A Deployment Server will not necessarily accept incoming log data sent from a forwarder. It is a role that any Splunk server can have, and it means that it will listen on port 8089 (by default) for incoming requests from Deployment Clients. If the DS has a newer version of an application that the deplyment client is supposed to have, it will instruct the deployment client to download it.

An Indexer will listen on one or several ports for incoming log data. Data coming from forwarders are usually received on port 9997, but that is totally configurable (in inputs.conf on the indexer).

So you can in a way say that the outputs.conf on the forwarder maps to inputs.conf on an indexer, and that deploymentclient.conf on a forwarder maps to serverclass.conf (class membership) and server.conf (listening port) on the Deployment Server.

But of course, a single Splunk instance can be an Indexer and Deployment Server at the same time.

So if you already configure your outputs.conf through the deployment server, you should edit it on the DS, in $SPLUNK_HOME/etc/deployment-apps/your_app_name/local_or_default/outputs.conf. When you restart your DS, or run splunk reload deploy-server in the CLI, the new configuration will be active. In a few minutes the forwarder should have the new config.

Hope this helps,

K

Reply

munazir
Engager
‎06-11-2013 12:15 AM

my intention is to forward the event to the new deployment server. Where and Which conf file should I edit? Universal forwarder at client or at the conf file at deployment server?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...