Splunk Dev

Deploy Different Inputs.conf to different Universal Forwarder Using Deployment server.


Is it possible to deploy different Inputs.conf to different Universal Forwarder?

Tags (1)
0 Karma


There is a lot to this topic and more than can be covered in a single answer here, so I'll just link you to the proper documentation.

Check out About deployment server and forwarder management - it's a good point to get started and get a high level overview and more details to dig into.

Hope that helps!

0 Karma


I just read the documentation
But here is the situation: I have 1(app), 20(UF)

In the app, there are inputs.conf that change according to UF,
meaning for every UF there is 1(app) but different inputs.conf in it.
~UF_1 > Sample_App > inputs.conf (contain specific configuration for UF_1)
~UF_2> Sample_App > inputs.conf (contain specific configuration for UF_2)
~UF_3 > Sample_App > inputs.conf (contain specific configuration for UF_3)

0 Karma


Can you explain why the inputs.conf has to be different on every UF?
Basically - you can't dynamically change an app per UF, there is no templating or anything like this.
So if you actually need to have a different inputs.conf per UF, you need to clone the app 20 times and assign each copy to it's respective UF - therefore it would be good to see the reason why you want to do this. 🙂

0 Karma


That's the first idea came to my mind create 20apps,
The reason why I need the inputs.conf should differ is, there's a staza in the inputs.conf that get particularly that address

"destination =" - where "" is the ip that will get the data

I am afraid that if i do it in a whole it would repeat the data to be forward.
"destination =," - i think this would repeat the data.

0 Karma

Ultra Champion

Interesting. Can you please show us the inputs.conf file?

0 Karma


Here is my input.conf

communitystring = public
destination = (IP_ADDRESS)
do_bulk_get = 0
do_get_subtree = 1
index = SNMP
ipv6 = 0
mib_names = (MIB_Names)
object_names = (OID_Names)
port = 161
snmp_mode = attributes
snmp_version = 2C
sourcetype = (Sourcetype_Name)
split_bulk_output = 0
trap_rdns = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

at first, I set a whole
"destination =,,,,," - but if I put it on every forwarder I think the data will get duplicated

so I am trying to do it individually using the deployment server

~UF_1 > Sample_App > inputs.conf ("destination =")
~UF_2> Sample_App > inputs.conf ("destination =")
~UF_3 > Sample_App > inputs.conf "destination =")
0 Karma


Ah, that you're using the SNMP input would habe been a valuable information at the start 😉
Yeah, if you deploy that app with on all UFs with a Config for all devices, you will get duplicates, true.

Why however do you want to do one UF for one device? I would just take one UF that does this task and have him do all the SNMP work, and not spread it over 20 single instances, because that will most likely be awful too debug (and definitely awful to manage via DS).

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...