What am I missing? (new to splunk, but have been reading all about deployment servers) test environment with 2 servers -- Splunk 5 installed as deployment server @ server named x.y.z Splunk UniversalForwarder 5 installed on client @ server name austest On Deployment Server: $SPLUNKHOME/etc/system/local/serverclass.conf [serverClass:testing] filterType = whitelist repositoryLocation = /opt/splunk/etc/deployment-apps/testing/ whitelist.0 = aus* Placed inputs.conf and outputs.conf at: $SPLUNKHOME/etc/deployment-apps/testing/default outputs.conf [tcpout] disabled = false defaultGroup=splunkPOC [tcpout:splunkPOC] server=x.y.z:9997 [tcpout-server://x.y.z:9997] inputs.conf [monitor:///var/log/messages] disabled=false sourcetype=syslog On client: $SPLUNKHOME/etc/system/local/deploymentclient.conf [target-broker:deploymentServer] targetUri = x.y.z:8089 Enabled the receiver tcp port 9997 on the indexer. (Previously done when testing a 'non-deployment server' setup, which was full functional on forwarding from the client.) Reloaded deploy-server /opt/splunk/bin/splunk reload deploy-server Check that client is configured: /opt/splunkforwarder/bin/splunk list deploy-poll Deployment Server URI is set to "x.y.z:8089". I can see the client reaching the deployment server (at Splunk Web) and via: (at deployment server) /opt/splunk/bin/splunk list deploy-clients | grep 'hostname:' hostname: austest But the client doesn't appear to retrieve the inputs.conf or outputs.conf (at client) /opt/splunkforwarder/bin/splunk list forward-server Active forwards: None Configured but inactive forwards: None No data is forwarded from the client. What is wrong? Where should the files be located after retrieval from the deployment server? (Manual configuration works for the client to send data, but obviously isn't scalable.) ... View more