Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Web.conf settings on a Universal Forwarder

Glasses
Builder
‎11-12-2020 05:37 PM

Hi - 

I rarely login to a UF locally after the deployment server path is set. (I guess I have been lucky...)

However, while tshooting some UF [thruput] limits, I logged into a local server and noticed in the UF directories a SplunkUniversalForwarder App... (I must not have paid too much attn to it before...)

Per https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Configuretheuniversalforwarder

The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.

path>>>  /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder (app)

Within the app there are a number of confs including >>> web.conf

The first line of the web.conf spec is >>> 

This file contains possible attributes and values you can use to configure
 the Splunk Web interface.

I am under the impression this app was created for a reason duplicating / calling out some specific confs that are also found in the usual place like>>>  /opt/SplunkUniversalForwarder/etc/system/default

My curiosity is piqued,  and need to ask when would web.conf settings be applied to a UF ?

Per https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Configuretheuniversalforwarder

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step.

Has anyone used web.conf settings on a UF?  

Or is this web.conf setting in there to make sure the webserver is disabled?

[settings]

# disable the webserver
startwebserver = 0

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-13-2020 12:56 PM

@Glasses 

The web.conf configuration files and SplunkUniversalForwarder app are legacy apps from the time where you could configure Splunk Enterprise version is Light Weight Forwarder by disabling certain components. The web.conf is NOT at all used in Splunk Universal Forwarders and changing it will not have any effect. I believe they're just stayed there as UF version was derived from Splunk Enterprise (to keep the feature that both product supports similar set of configuration files).

You'd see that $SPLUNK_HOME/etc/syste/default/web.conf have startwebserver = 1 (enable Splunk web), but there is no UI for UF. The app SplunkUniversalForwarder is disabled.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-13-2020 12:56 PM

@Glasses 

The web.conf configuration files and SplunkUniversalForwarder app are legacy apps from the time where you could configure Splunk Enterprise version is Light Weight Forwarder by disabling certain components. The web.conf is NOT at all used in Splunk Universal Forwarders and changing it will not have any effect. I believe they're just stayed there as UF version was derived from Splunk Enterprise (to keep the feature that both product supports similar set of configuration files).

You'd see that $SPLUNK_HOME/etc/syste/default/web.conf have startwebserver = 1 (enable Splunk web), but there is no UI for UF. The app SplunkUniversalForwarder is disabled.

Reply
Solved! Jump to solution

nwuest
Path Finder
‎11-13-2020 12:39 PM

Hi @Glasses,

The Universal Forwarder does not support bringing the webpage up as its main purpose is to:

"include only the essential components that it needs to forward data to other Splunk platform instances. While it does not have a Web interface, you can still configure, manage, and scale it by editing configuration files or by using the Forwarder Management or Monitoring Console interfaces in Splunk Web. "

Splunk® Universal Forwarder Forwarder Manual 

Universal Forwarders have the added benefit of not impacting the host as much as a Splunk Enterprise instance would because they are so lean and do not require a lot of resources to run.

 

I do hope this helps with your question/post but do let us know if you have any other questions!

V/R,
nwuest

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...