Why are Universal Forwarders not getting pushed co...

jpfrancetic · ‎10-03-2022

Hi Splunk community,

I am currently having an issue with deploying apps to universal forwards. On the deployment server side, I have the hosts set up in the whitelist for specific server classes and on the UF side, I have a deployment client on the hosts plus they are phoning home into the DS.

We are not receiving logs from these UFs because the app that contains the input.conf for these servers is not getting pushed to the UFs.

Is there a way to force the app to get pushed / am I missing a configuration that is causing this to happen? This has been a recurring problem because the app sporadically gets removed from these servers.

Thanks in advance!

isoutamo · ‎10-04-2022

Hi

you should try to find why your DC is not loading / enabling package from your DS. You could try to find the reason from internal logs with queries

index=_internal component=DS* host=<your DS>
index=_internal component=DC* host=<your UF/HF>
index=_internal component=Deploy* host=<your UF/HF>

Those messages should told to you what there is happening.

r. Ismo

Why are Universal Forwarders not getting pushed config apps?

deployment client

deployment server

universal forwarder

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?