Splunk Enterprise

Edit the Inputs.conf of 20(universal forwarder) using Deployment Server

jadengoho
Builder

Is there a way I can edit the input.conf of (20)Universal Forwarder just using a Deployment server.
If yes, can you please help me.

Tags (1)
0 Karma

xpac
SplunkTrust
SplunkTrust

As always, "it depends".
If the existing inputs.conf is located in etc/system/local/ (or worse, etc/system/default/), you cannot modify it via Deployment server, because DS only deploys to the etc/apps/ directory. (besides some rather ugly hacks using scripted inputs)
If you however have an inputs.conf in an app, you can simply recreate that app on the DS in etc/deployment-apps/yourapp and then distribute it to the forwarders (assuming you configured the DS IP/hostname with those forwarders).
Be aware that you need to recreate the whole app before distributing it via DS, because all files in that app that only exist on the Forwarder, but not the DS will be removed.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

FrankVl
Ultra Champion

Yes you can.

In short, you need to:

  • Ensure the UFs are deployment clients of the DS
  • create an app with the respective inputs.conf content
  • put the app into the deployment-apps folder on the DS
  • On the DS: create a server class that holds the respective forwarders, then associate the app with that server class, to deploy it to the forwarders

If you're new to that, I'd suggest you take a look at the Deployment Server documentation: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver

PS: if with "edit" you literally mean edit an existing inputs.conf file on the UFs, @xpac has some very important comments in his answer.

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...