Hi funlearning321,
I suggest to follow the documentation about this topic: https://www.splunk.com/blog/2016/08/31/adding-a-deployment-server-forwarder-management-to-a-new-or-existing-splunk-cloud-or-splunk-enterprise-deployment.html
In addition, you can find yhis useful video: https://www.youtube.com/watch?v=uiU_jGxnnuc
Anyway, the way to proceed is easy:
if you are only testing distributed deployment you have to:
choose a server as Deployment Server (remember that if you have more than 50 Forwarders you need a dedicated server);
install Splunk on this Server;
on each Forwarder, set the correct Deployment Server address using the CLI $SPLUNK_HOME/bin/splunk set deploy-poll servername.mydomain.com:8089
you can do the same thing inserting in the file $SPLUNK_HOME/etc/system/local/deploymentclient.conf the following rows
[target-broker:deploymentServer]
Change the targetUri
targetUri = deploymentserver.splunk.mycompany.com:8089
restart splunk on Forwarder
You'll see the Forwarder on the Deployment server at [Settings -- Forwarder management]
If instead you need a Forwarder management, you have to use a different approach:
On Deployment Server:
install Deployment server in the same way,
create an App (called e.g. "TA_Forwarders" in which there are only two files: deploymentclient.conf and outputs.conf, in deploymentclient.conf there the correct Deployment server Addressing (the same of previous item);
design your deployment policy: define server classes (a list of server with the same apps) and apps;
copy TA_Forwarders in $SPLUNK_HOME/etc/deployment-apps
copy apps in $SPLUNK_HOME/etc/deployment-apps
create Server Classes
On Universal Forwarder:
install Universal Forwarder,
copy the TA_Forwarders on $SPLUNK_HOME/etc/apps
restart Splunk;
Bye.
Giuseppe
... View more
