Splunk Enterprise

Why default setting for 'phoneHomeIntervalInSecs' in deploymentclient.conf is not present in UF and Splunk Enterprise?

Ashwini008
Builder

Hello,

I want to see the default configuartion of ''phoneHomeIntervalInSecs'' in UF. I came across splunk docs/answers as per that checked in $splunk_home/etc/system/default/deploymentclient.conf in both UF and Splunk enterprise but was unable to locate it.

Could you please help me with the exact location to validate the phoneHomeIntervalInSecs.

Also, We are manually updating new outputs.conf in the UF in the path splunk_home/etc/apps/deployment-apps/UFtoHF/local/outputs.conf.

As per the splunk docs, due to polling between Deployment server and UF the new manual updates in UF should be erased but strangely it is not been erased (even though the new outputs.conf are not present in DS) and the updates are retained.

How exactly does this polling works between DS and UF ? And Why the manual updates aren't been erased?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You can see this form docs:

phoneHomeIntervalInSecs = <decimal>
* How frequently, in seconds, this deployment client should
  check for new content.
* Fractional seconds are allowed.
* Default: 60.

Or check it from /opt/splunk/etc/system/README/deploymentclient.conf.spec

Also you can try this on UF (or other node which are managed by DS)

splunk btool deploymentclient list --debug

 Unfortunately (at least one Windows UF where I test it) it shows only non default values 😞

Anyhow if you have changed that interval then --debug flag shows from which file it's coming as there can be several places where it is defined. Otherwise it was default 60s.

My advice is to create own TA for DS connection which you can manage later on with DS instead of using those CLI commands or directly add those to /opt/splunk*/etc/system/local/deploymentclient.conf.

Just create app e.g zzz_win_base_uf or similar (your UFtoHF?), where you have under default that deployment client.conf and outputs.conf. If/when you are using TLS on server to server connections then you need separate apps for Windows and Linux/Unix as there are / vs \ on path names on additional server.conf.

If this app is managed by DS then it should updated as it has updated on DS side. You should remember to add "reboot splunkd" check box on it's configuration on DS that your changes will come to use also.

Also UF must have connection to DS with tcp / 8089 (or what ever is your mgmt port on DS). This can be direct or use proxy (needs additional configuration on UF side). These polls should seen on _internal log.

Can you check from _internal index what has happened when this serverclass has applied to UF?

r. Ismo

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...