Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Edit the Inputs.conf of 20(universal forwarder) using Deployment Server

jadengoho
Builder
‎04-29-2018 11:56 PM

Is there a way I can edit the input.conf of (20)Universal Forwarder just using a Deployment server.
If yes, can you please help me.

Tags (1)
0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎04-30-2018 12:12 AM

As always, "it depends".
If the existing inputs.conf is located in etc/system/local/ (or worse, etc/system/default/), you cannot modify it via Deployment server, because DS only deploys to the etc/apps/ directory. (besides some rather ugly hacks using scripted inputs)
If you however have an inputs.conf in an app, you can simply recreate that app on the DS in etc/deployment-apps/yourapp and then distribute it to the forwarders (assuming you configured the DS IP/hostname with those forwarders).
Be aware that you need to recreate the whole app before distributing it via DS, because all files in that app that only exist on the Forwarder, but not the DS will be removed.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply

FrankVl
Ultra Champion
‎04-30-2018 12:12 AM

Yes you can.

In short, you need to:

  • Ensure the UFs are deployment clients of the DS
  • create an app with the respective inputs.conf content
  • put the app into the deployment-apps folder on the DS
  • On the DS: create a server class that holds the respective forwarders, then associate the app with that server class, to deploy it to the forwarders

If you're new to that, I'd suggest you take a look at the Deployment Server documentation: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver

PS: if with "edit" you literally mean edit an existing inputs.conf file on the UFs, @xpac has some very important comments in his answer.

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...