Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pointing universal forwarder to new deployment server

munazir
Engager
‎06-10-2013 11:37 PM

I have installed new Splunk deployment server. I would like to point the universal forwarder resides on client to the newly installed Splunk deployment server. Where do I edit?

\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf or output.conf?

Tags (1)
Reply

kristian_kolb
Ultra Champion
‎06-11-2013 12:04 AM

deploymentclient.conf is where you instruct a Splunk Forwarder where to look for its configurations. Just make sure that you have the right applications/serverclass memberships configured on the new deployment server before you make the switch.

outputs.conf is where the Splunk stores configurations regarding where to send events. It is not uncommon to deploy the outputs.conf as an application through the deployment server. NB: if you do, then that outputs.conf will land in $SPLUNK_HOME/etc/apps/your_app_name/local_or_default/outputs.conf. This location has lower precedence than $SPLUNK_HOME/etc/system/local, so ensure that you don't have conflicting configuration there.

UPDATE:

There seems to some confusion regarding concepts. A Deployment Server will not necessarily accept incoming log data sent from a forwarder. It is a role that any Splunk server can have, and it means that it will listen on port 8089 (by default) for incoming requests from Deployment Clients. If the DS has a newer version of an application that the deplyment client is supposed to have, it will instruct the deployment client to download it.

An Indexer will listen on one or several ports for incoming log data. Data coming from forwarders are usually received on port 9997, but that is totally configurable (in inputs.conf on the indexer).

So you can in a way say that the outputs.conf on the forwarder maps to inputs.conf on an indexer, and that deploymentclient.conf on a forwarder maps to serverclass.conf (class membership) and server.conf (listening port) on the Deployment Server.

But of course, a single Splunk instance can be an Indexer and Deployment Server at the same time.

So if you already configure your outputs.conf through the deployment server, you should edit it on the DS, in $SPLUNK_HOME/etc/deployment-apps/your_app_name/local_or_default/outputs.conf. When you restart your DS, or run splunk reload deploy-server in the CLI, the new configuration will be active. In a few minutes the forwarder should have the new config.

Hope this helps,

K

Reply

munazir
Engager
‎06-11-2013 12:15 AM

my intention is to forward the event to the new deployment server. Where and Which conf file should I edit? Universal forwarder at client or at the conf file at deployment server?

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...