Splunk Enterprise

Why default setting for 'phoneHomeIntervalInSecs' in deploymentclient.conf is not present in UF and Splunk Enterprise?

Ashwini008
Contributor

Hello,

I want to see the default configuartion of ''phoneHomeIntervalInSecs'' in UF. I came across splunk docs/answers as per that checked in $splunk_home/etc/system/default/deploymentclient.conf in both UF and Splunk enterprise but was unable to locate it.

Could you please help me with the exact location to validate the phoneHomeIntervalInSecs.

Also, We are manually updating new outputs.conf in the UF in the path splunk_home/etc/apps/deployment-apps/UFtoHF/local/outputs.conf.

As per the splunk docs, due to polling between Deployment server and UF the new manual updates in UF should be erased but strangely it is not been erased (even though the new outputs.conf are not present in DS) and the updates are retained.

How exactly does this polling works between DS and UF ? And Why the manual updates aren't been erased?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You can see this form docs:

phoneHomeIntervalInSecs = <decimal>
* How frequently, in seconds, this deployment client should
  check for new content.
* Fractional seconds are allowed.
* Default: 60.

Or check it from /opt/splunk/etc/system/README/deploymentclient.conf.spec

Also you can try this on UF (or other node which are managed by DS)

splunk btool deploymentclient list --debug

 Unfortunately (at least one Windows UF where I test it) it shows only non default values 😞

Anyhow if you have changed that interval then --debug flag shows from which file it's coming as there can be several places where it is defined. Otherwise it was default 60s.

My advice is to create own TA for DS connection which you can manage later on with DS instead of using those CLI commands or directly add those to /opt/splunk*/etc/system/local/deploymentclient.conf.

Just create app e.g zzz_win_base_uf or similar (your UFtoHF?), where you have under default that deployment client.conf and outputs.conf. If/when you are using TLS on server to server connections then you need separate apps for Windows and Linux/Unix as there are / vs \ on path names on additional server.conf.

If this app is managed by DS then it should updated as it has updated on DS side. You should remember to add "reboot splunkd" check box on it's configuration on DS that your changes will come to use also.

Also UF must have connection to DS with tcp / 8089 (or what ever is your mgmt port on DS). This can be direct or use proxy (needs additional configuration on UF side). These polls should seen on _internal log.

Can you check from _internal index what has happened when this serverclass has applied to UF?

r. Ismo

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...