I am fresh to Splunk Enterprise so I must be missing something simple. To summarize: what does a deployment application actually do? I see the "deployment": the files are copied from the search head/DS to the specified forwarder(s). Everything about "Forwarder management" appears to be working as expected, being configured with the web GUI and/or the CLI files. I have separate Linux instances for 6.5.1 search head, indexers, forwarders, and have been through the Updating SE Instances 6.5.1 PDF several times. To rephrase, the ./deployment-apps files are deployed but then what? Descriptions mention deployment of arbitrary content, script and configuration files. Setting aside the if/when/how for running(?) script files, configuration files are the concern here. I've seen text and other Answers posts that imply the deployment of, say, an inputs.conf file to a forwarder will affect the data it looks at, ingests. I can see how that configuration deployment would make sense when there are many forwarders that want to do about the same thing Details here: * Deployment server & clients show as connected with ./splunk CLI show/list deploy commands. * Automated deployment and manual "reload deploy-server" have both been done. * As said earlier, the files are being deployed to the clients. * Fresh "qwerty" index. * An inputs.conf is set-up & deployed to a forwarder for an existing log file: Deployment server cat $SPLUNK_HOME/etc/deployment-apps/qwerty-app/default/inputs.conf [monitor:///opt/log/junk] disabled = false index = qwerty whitelist = *.log Forwarder [splunk qwerty-app]$ cat /opt/splunkforwarder/etc/apps/qwerty-app/default/inputs.conf [monitor:///opt/log/junk] disabled = false index = qwerty whitelist = *.log Log file on forwarder [splunk]$ ls -al /opt/log/junk/* -rw------- 1 splunk splunk 864674 Jan 13 22:35 /opt/log/junk/crunch.log Shouldn't the new "qwerty" index now have crunch.log data? The forwarder splunkd process was set to restart following the app deployment; restarting it and the search head again made no difference. I've also tried the conf with & without the 'host' parameter (didn't think it'd matter). Any assistance would be greatly appreciated. ... View more

I'm a brand new Splunk user. I've seen you can have just an Enterprise install, no forwarders, monitoring local data only (off-topic to expand on the "only"). Since the single install handles search head & indexer duties (right?), I've been trying to install a forwarder on the same Enterprise box but can't get it to connect. I also tried a separate box for just the forwarder & netstat did say "9997" ESTABLISHED on both machines; still no forwarder data connection. If a forwarder does need an indexer, could the indexer & forwarder be on the same machine? I'd tend to think yes but then again... Thanks! ... View more