We already have Splunk deployed, (indexer, w/ light forwarders)...
The reason for this question is that we've had issues getting splunk to work, but initially had issues getting data from forwarders. After uninstalling and reinstalling a few times, it finally worked.. somehow.. Which is fine..
Problem is, updating forwarders to blacklist certain events to not exceed license limits (saving bandwidth) is going to be a pain to do this every time manually. Having to update conf files on each server and of course -as we grow- it makes more sense to have a deployment server enabled.
So, is there anyway to enable a deployment server on a splunk instance that is already installed without having to re-install the indexer and forwarder(s)?
If there is a link to help with this, that would be perfect..
Thanks in advance,
Joe
... View more