Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Edit the Inputs.conf of 20(universal forwarder) using Deployment Server

jadengoho
Builder
‎04-29-2018 11:56 PM

Is there a way I can edit the input.conf of (20)Universal Forwarder just using a Deployment server.
If yes, can you please help me.

Tags (1)
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 12:12 AM

As always, "it depends".
If the existing inputs.conf is located in etc/system/local/ (or worse, etc/system/default/), you cannot modify it via Deployment server, because DS only deploys to the etc/apps/ directory. (besides some rather ugly hacks using scripted inputs)
If you however have an inputs.conf in an app, you can simply recreate that app on the DS in etc/deployment-apps/yourapp and then distribute it to the forwarders (assuming you configured the DS IP/hostname with those forwarders).
Be aware that you need to recreate the whole app before distributing it via DS, because all files in that app that only exist on the Forwarder, but not the DS will be removed.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply

FrankVl
Ultra Champion
‎04-30-2018 12:12 AM

Yes you can.

In short, you need to:

  • Ensure the UFs are deployment clients of the DS
  • create an app with the respective inputs.conf content
  • put the app into the deployment-apps folder on the DS
  • On the DS: create a server class that holds the respective forwarders, then associate the app with that server class, to deploy it to the forwarders

If you're new to that, I'd suggest you take a look at the Deployment Server documentation: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver

PS: if with "edit" you literally mean edit an existing inputs.conf file on the UFs, @xpac has some very important comments in his answer.

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...