Splunk Enterprise

Can I stop splunk universal forwarder at once from deployment server or any other apps?

Moon629
Explorer

Hi all

There are lots of splunk universal forwarders installed in application servers, and managed by deployment server. Can I stop all the UFs at once from deployment server? Or from any other apps?

Thanks in advance!

Tags (1)
0 Karma

javiergn
SplunkTrust
SplunkTrust

You could always deploy an app that contains a Python, PowerShell or whatever other script language you want to use and run a splunk stop from there.

Splunk should run this and stop itself in theory.

But keep in mind you won't be able to undo this very easily. If your script creates a schedule or cron task that starts splunk automatically after a certain period, you might be able to overcome the issue.

Hope that helps.

Thanks,
J

Moon629
Explorer

Any app already created in splunk apps for this?

0 Karma

javiergn
SplunkTrust
SplunkTrust

I don't think so.
Depending on your needs and your environment you could use PowerShell on Windows hosts and Python everywhere else. Or just use Python everywhere.

Take a look at the following posts and see if that helps. All you need to do is to deploy your app that runs your script via inputs.conf:

https://answers.splunk.com/answers/212331/can-i-use-a-python-script-on-a-windows-universal-f.html
http://docs.splunk.com/Documentation/Splunk/latest/Admin/StartSplunk

If you are running 6.3 you can natively run PowerShell scripts too. See the following links:

http://docs.splunk.com/Documentation/AddOns/latest/MSPowerShell/Configuration
https://technet.microsoft.com/en-us/library/ee177005.aspx

For instance, your inputs.conf could be something like:

# Restart SplunkForwarder on Windows on December 24th (note this will run every year so make sure you disable the app)
[powershell://Restart-Splunk]
script = Stop-Service SplunkForwarder
schedule = 0 10 24 12 *
sourcetype = MySourceType

Hope that helps.

Thanks,
J

0 Karma

milesbrennan
Path Finder

I found the easiest way is to remove all the associated applications from the serverclass, and reload the deployment server. Then once the deployment client checks back in, it removes the application, and will not collect or send any data.

The fishbucket keeps track of the data logs you have already collected, so when you re-apply the applications, you don't get a double-up of event entries.

# Enable the DHCP input from Splunk_TA_windows
[serverClass:WinDHCP]
whitelist.0 = DCSERVER-AU
whitelist.1 = DCSERVER-UK
whitelist.2 = DCSERVER-US
whitelist.3 = DCSERVER-EU
whitelist.4 = DCSERVER-NZ
#[serverClass:WinDHCP:app:deploymentclient]        <-- remark out the application association
#[serverClass:WinDHCP:app:output_all]              <-- remark out the application association
#[serverClass:WinDHCP:app:Splunk_TA_windows]       <-- remark out the application association
#[serverClass:WinDHCP:app:AAA_windows_dhcp]        <-- remark out the application association

Save the "serverclass.conf" file and issue the deployment server a reload.

/opt/splunk/bin/splunk reload deploy-server

Moon629
Explorer

Thank you and yes, we can remove the configuration applied to the application servers. But can we stop the ufs? like running: ./splunk stop.....which don't need to login to application servers?

0 Karma

milesbrennan
Path Finder

No, not natively from the central deployment server. If you accidently stopped all the universal forwarders from the deployment server, you could be in some pretty big trouble, as you wouldn't be able to restart the remote Splunk services if they were all stopped.

Next best option is to remove the applications and allow the forwarders to remain active, polling the deployment server in case you make configuration changes or push out their applications again.

Allowing the forwarders to remain active in the OS would probably be best, and only use minimal resources sitting in memory doing nothing.

0 Karma

Moon629
Explorer

Thank you. Since the admin of the application servers concern that if ufs spent lots of resource, and influence the application, he hope that we can stop all at once.

but I think you are correct. if ufs spent lots of resource, which means read and forward lots of data. So remove the inputs and outputs configuration maybe the effective way.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...