Edit the Inputs.conf of 20(universal forwarder) us...

jadengoho · ‎04-29-2018

Is there a way I can edit the input.conf of (20)Universal Forwarder just using a Deployment server.
If yes, can you please help me.

xpac · ‎04-30-2018

As always, "it depends".
If the existing inputs.conf is located in etc/system/local/ (or worse, etc/system/default/), you cannot modify it via Deployment server, because DS only deploys to the etc/apps/ directory. (besides some rather ugly hacks using scripted inputs)
If you however have an inputs.conf in an app, you can simply recreate that app on the DS in etc/deployment-apps/yourapp and then distribute it to the forwarders (assuming you configured the DS IP/hostname with those forwarders).
Be aware that you need to recreate the whole app before distributing it via DS, because all files in that app that only exist on the Forwarder, but not the DS will be removed.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

FrankVl · ‎04-30-2018

Yes you can.

In short, you need to:

Ensure the UFs are deployment clients of the DS
create an app with the respective inputs.conf content
put the app into the deployment-apps folder on the DS
On the DS: create a server class that holds the respective forwarders, then associate the app with that server class, to deploy it to the forwarders

If you're new to that, I'd suggest you take a look at the Deployment Server documentation: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver

PS: if with "edit" you literally mean edit an existing inputs.conf file on the UFs, @xpac has some very important comments in his answer.

Edit the Inputs.conf of 20(universal forwarder) using Deployment Server

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7