Good morning. I inherited an enterprise Splunk env. We have 4 index servers, a lic server and a deployment server. I find this configuration much more difficult than a stand alone config. How do I utilize the deployment server to deploy apps the fwd clients?
I am finding spunk documentation to be sparse and scattered and quite honestly horrible!!! So any help is much appreciated!
You should already have an app that contains an
outputs.conf so you will add your forwarder to this
serverclass so that he knows where to send his stuff. Then all your new app needs is an
inputs.conf file and you should be good to go.
Here is a log file from my Linux forwarder I installed:
Script started on Sun 19 Jul 2015 08:08:14 PM EDT
/root/dev/packages # ls
/root/dev/packages # rpm -iv splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm
warning: splunkforwarder-6.2.4-271043-linux-2.6-x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 653fb112: NOKEY
/root/dev/packages # which splunk
/root/dev/packages # splunk start --accept-license
This appears to be your first time running this version of Splunk.
Splunk> Take the sh out of IT.
Checking mgmt port : open
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Generating a 1024 bit RSA private key
Getting CA Private Key
writing RSA key
[ OK ]
/root/dev/packages # splunk enable boot-start
Init script installed at /etc/init.d/splunk.
Init script is configured to run at boot.
/root/dev/packages # splunk set deploy-poll 10.11.0.4:9997
Your session is invalid. Please login.
Splunk username: admin
You need to restart the Splunk Server (splunkd) for your changes to take effect.
/root/dev/packages # service splunk restart
Restarting splunk (via systemctl): [ OK ]
/root/dev/packages # exit
Script done on Sun 19 Jul 2015 08:13:51 PM EDT
What am I missing? This node is not showing up as a client in forwarder management.
Thank you all for responding... I still cannot get this to work. Is there a place I can read about this from start to finish?
How do I get my linux server to show up as a forwarder? I have installed the fwd on linux w/o incident and set it up spunk set-deploy 10.11.0.4:9997.
Any help is MUCH appreciated.
That could be your problem. 9997 is typically the port used to send data to Splunk for indexing. deployment server runs as part of the management port (aka the Splunk API port) which is by default port 8089.
I changed the port and reinstalled the whole thing and this still does not work. If I started out of the box to set this up is there ONE place I can look for a full configuration of Splunk? I am more than certain it is something I am doing wrong, problem is the documentation is a rat race to find anything. So scattered. Sorry I am just frustrated.
Assuming that everything is setup correctly, to deploy a new app to forward new data in from existing forwarders (you really should be more specific about what you are trying to do, what you have tried, and what errors or problems you are having), you just create a new app on the DS in a spot like
$SPLUNK_HOME/etc/deployment-apps/MyApp/. Be sure to have the appropriate
transforms.conf, at a minimum. Then create a new serverclass and add to it all the forwarders that should get the new app. Lastly force DS to recognize (and act upon) your changes with this command:
$SPLUNK/HOME/bin/splunk reload deploy-server
Here are a few links that you may not have tried:
You will have to configure serverclass.conf on the deploy server to define your deploymentclients(forwarder servers) and place the desired apps under deployment-apps and target those apps against the defined serverclass
Once your configs are ready, you issue the below command and the clients will get the apps that they need
./splunk reload deploy-server