Deployment Architecture

Using Splunk deployment server to deploy apps to fwd servers


Good morning. I inherited an enterprise Splunk env. We have 4 index servers, a lic server and a deployment server. I find this configuration much more difficult than a stand alone config. How do I utilize the deployment server to deploy apps the fwd clients?

I am finding spunk documentation to be sparse and scattered and quite honestly horrible!!! So any help is much appreciated!

Tags (1)
0 Karma

Esteemed Legend

You should already have an app that contains an outputs.conf so you will add your forwarder to this serverclass so that he knows where to send his stuff. Then all your new app needs is an inputs.conf file and you should be good to go.

0 Karma


What is the bare min i need to deploy an app that logs /var/log/messages?

0 Karma


Here is a log file from my Linux forwarder I installed:
Script started on Sun 19 Jul 2015 08:08:14 PM EDT
/root/dev/packages # ls
/root/dev/packages # rpm -iv splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm
warning: splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 653fb112: NOKEY
Preparing packages...
/root/dev/packages # which splunk
/root/dev/packages # splunk start --accept-license

This appears to be your first time running this version of Splunk.

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Generating a 1024 bit RSA private key

writing new private key to 'privKeySecure.pem'

Signature ok
Getting CA Private Key
writing RSA key
[ OK ]
/root/dev/packages # splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
/root/dev/packages # splunk set deploy-poll
Your session is invalid. Please login.
Splunk username: admin
Configuration updated.
You need to restart the Splunk Server (splunkd) for your changes to take effect.
/root/dev/packages # service splunk restart
Restarting splunk (via systemctl): [ OK ]
/root/dev/packages # exit

Script done on Sun 19 Jul 2015 08:13:51 PM EDT
/root #

What am I missing? This node is not showing up as a client in forwarder management.


0 Karma


Thank you all for responding... I still cannot get this to work. Is there a place I can read about this from start to finish?

How do I get my linux server to show up as a forwarder? I have installed the fwd on linux w/o incident and set it up spunk set-deploy

Any help is MUCH appreciated.

0 Karma


That could be your problem. 9997 is typically the port used to send data to Splunk for indexing. deployment server runs as part of the management port (aka the Splunk API port) which is by default port 8089.

0 Karma


I changed the port and reinstalled the whole thing and this still does not work. If I started out of the box to set this up is there ONE place I can look for a full configuration of Splunk? I am more than certain it is something I am doing wrong, problem is the documentation is a rat race to find anything. So scattered. Sorry I am just frustrated.

0 Karma

0 Karma

Esteemed Legend

Assuming that everything is setup correctly, to deploy a new app to forward new data in from existing forwarders (you really should be more specific about what you are trying to do, what you have tried, and what errors or problems you are having), you just create a new app on the DS in a spot like $SPLUNK_HOME/etc/deployment-apps/MyApp/. Be sure to have the appropriate inputs.conf, props.conf and transforms.conf, at a minimum. Then create a new serverclass and add to it all the forwarders that should get the new app. Lastly force DS to recognize (and act upon) your changes with this command:

 $SPLUNK/HOME/bin/splunk reload deploy-server

Here are a few links that you may not have tried:

0 Karma


You will have to configure serverclass.conf on the deploy server to define your deploymentclients(forwarder servers) and place the desired apps under deployment-apps and target those apps against the defined serverclass

Once your configs are ready, you issue the below command and the clients will get the apps that they need

./splunk reload deploy-server

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!