Splunk Enterprise

Web.conf settings on a Universal Forwarder

Glasses
Builder

Hi - 

I rarely login to a UF locally after the deployment server path is set. (I guess I have been lucky...)

However, while tshooting some UF [thruput] limits, I logged into a local server and noticed in the UF directories a SplunkUniversalForwarder App... (I must not have paid too much attn to it before...)

Per https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Configuretheuniversalforwarder

The universal forwarder has a SplunkUniversalForwarder app, which includes preconfigured settings that let the forwarder run in a streamlined mode. Do not edit any configuration files within that app unless you receive specific instructions.

path>>>  /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder (app)

Within the app there are a number of confs including >>> web.conf

The first line of the web.conf spec is >>> 

This file contains possible attributes and values you can use to configure
 the Splunk Web interface.

I am under the impression this app was created for a reason duplicating / calling out some specific confs that are also found in the usual place like>>>  /opt/SplunkUniversalForwarder/etc/system/default

My curiosity is piqued,  and need to ask when would web.conf settings be applied to a UF ?

Per https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Configuretheuniversalforwarder

Because the universal forwarder does not have Splunk Web, you must give the forwarder a configuration either during the installation (on Windows systems only) or later, as a separate step.

Has anyone used web.conf settings on a UF?  

Or is this web.conf setting in there to make sure the webserver is disabled?

[settings]

# disable the webserver
startwebserver = 0

Thank you.

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

@Glasses 

The web.conf configuration files and SplunkUniversalForwarder app are legacy apps from the time where you could configure Splunk Enterprise version is Light Weight Forwarder by disabling certain components. The web.conf is NOT at all used in Splunk Universal Forwarders and changing it will not have any effect. I believe they're just stayed there as UF version was derived from Splunk Enterprise (to keep the feature that both product supports similar set of configuration files).

You'd see that $SPLUNK_HOME/etc/syste/default/web.conf have startwebserver = 1 (enable Splunk web), but there is no UI for UF. The app SplunkUniversalForwarder is disabled.

View solution in original post

somesoni2
Revered Legend

@Glasses 

The web.conf configuration files and SplunkUniversalForwarder app are legacy apps from the time where you could configure Splunk Enterprise version is Light Weight Forwarder by disabling certain components. The web.conf is NOT at all used in Splunk Universal Forwarders and changing it will not have any effect. I believe they're just stayed there as UF version was derived from Splunk Enterprise (to keep the feature that both product supports similar set of configuration files).

You'd see that $SPLUNK_HOME/etc/syste/default/web.conf have startwebserver = 1 (enable Splunk web), but there is no UI for UF. The app SplunkUniversalForwarder is disabled.

nwuest
Path Finder

Hi @Glasses,

The Universal Forwarder does not support bringing the webpage up as its main purpose is to:

"include only the essential components that it needs to forward data to other Splunk platform instances. While it does not have a Web interface, you can still configure, manage, and scale it by editing configuration files or by using the Forwarder Management or Monitoring Console interfaces in Splunk Web. "

Splunk® Universal Forwarder Forwarder Manual 

Universal Forwarders have the added benefit of not impacting the host as much as a Splunk Enterprise instance would because they are so lean and do not require a lot of resources to run.

 

I do hope this helps with your question/post but do let us know if you have any other questions!

V/R,
nwuest

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...