What about if your pushing the outputs.conf. There is no way to push this if there is an existing outputs.conf file without using /system/local in your deployment. Well, unless you go to all your clients and delete the outputs.conf first, but then I might as well just change it while I'm there. Re-deploy the splunk forwarder with no output.conf and then deploy with a different app. Seems drastic, but I'm suppose that would work. Seems easier to just push /system/local to the client.
... View more