Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Updating the 'deploymentclient.conf' on Forwarders...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am migrating to a new architecture with my Splunk implementation. In this change I will be creating a new Deployment Server. I want to get this change rolled out to all of my Forwarders but from what I've read in the doc, I cannot update the $SPLUNK_HOME/etc/system/local/deploymentclient.conf via the Deployment Server. I have an app called 'deployment_client' that was setup to send config changes to the Forwarder but the etc/system/local copy of deploymentclient.conf trumps any duplicated keyword=value pair so I cannot use that to make this change.
Rolling this around in my head I thought -- maybe -- I can create an app in the Deployment Server on the old platform that will send and execute a script that will also carry with it a new version of the deploymentclient.conf with the correct settings and copy that over the existing version of the file then issue a restart command. This app will not exist on the new Deployment Server so this [script: ...] app will be removed from the Forwarders after they restart, connect to the new Deployment Server and "phone home" and get their updates.
Does anyone see something I do not or something that I have missed with this idea?
Rick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that I misread the doc and that I can update my deployment_client app with the new settings, deploy that to the Forwarders and the change will take place as needed and wanted.
Is this a great product or what?! Clearly the designers and developers think thru some pretty impressive use cases as they built and continue to improve Splunk. The more I work with it the more I not only love the product but see the many possibilities for which we can use it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that I misread the doc and that I can update my deployment_client app with the new settings, deploy that to the Forwarders and the change will take place as needed and wanted.
Is this a great product or what?! Clearly the designers and developers think thru some pretty impressive use cases as they built and continue to improve Splunk. The more I work with it the more I not only love the product but see the many possibilities for which we can use it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The system always prefers the system/local version. The configs in system/default provide a base. Next, the default configs from apps (in etc/apps/<app>/default) are layered on, then the local configs from apps, then finally system/local.
For this reason, when using the deployment server, it's preferred not to write application settings to system/local, as they will never be overridden by any application you deploy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not seeing that behavior. Can you point me to the docs that explain it? I have an 'outputs' app that includes a deploymentclient.conf file. However, it is ignored. The system prefers the system/local version.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
