I am going to be using splunk deployment server for the first time in our environment to deploy some changes into inputs.conf file,
I was wondering if this would fully replace the inputs.conf file in the deployment clients? or is it possible to use deployments servers to only push some new changes/ update the existing inputs.conf
Deployed apps will overwrite deployed configuration files. You will want to create custom apps to push out as to not mess with the default splunk apps -- you will run into interesting problems once you update your deployment clients as the installer may overwrite your changes and the config won't be redeployed until you change it at the deployment server.
I recommend the following approach:
[edit: Removed last paragraph based on Lowell's advice]
What about if your pushing the outputs.conf. There is no way to push this if there is an existing outputs.conf file without using /system/local in your deployment. Well, unless you go to all your clients and delete the outputs.conf first, but then I might as well just change it while I'm there. Re-deploy the splunk forwarder with no output.conf and then deploy with a different app. Seems drastic, but I'm suppose that would work. Seems easier to just push /system/local to the client.
Deployed apps will overwrite deployed configuration files. You will want to create custom apps to push out as to not mess with the default splunk apps -- you will run into interesting problems once you update your deployment clients as the installer may overwrite your changes and the config won't be redeployed until you change it at the deployment server.
I recommend the following approach:
[edit: Removed last paragraph based on Lowell's advice]
Oh well, I actually want to pursue this as one time deployment only, at present the splunk forwarders have an inputs.conf file in /etc/system/local, so by precedence order it shouldnt override the first copy of inputs.conf right? please correct me if I am wrong...thanks
@Lowell -- thanks! I had no idea. Then of course my deployment server doesn't work at this point due to some interesting scenario where SSL connections drop (SPL-30820) so that would explain why my local configs did not get overwritten 🙂
I gave you +1, then I got to your last paragraph.... You are wrong about the local directory thing: If you customize my-app/local/inputs.conf
on a deployment client, the very next change to that app on the deployment server will trigger the client to download the new app, and it will overwrite the entire my-app
folder structure, which includes everything in the "local" sub-folder. So, yes, you should be concerned about loosing your local changes, because you will loose them.
My understanding is that it fully replaces the local/inputs.conf that you may have, meaning it does not append the current inputs.conf. My suggestion is to have your custom inputs.conf in an app folder instead, so there's no replacement, or create an inputs.conf on an app folder from your deployment.
because at present the splunk forwarders have their inputs.conf in /etc/system/local
Splunk by default looks through precedence structure to check for copies of configuration files right? so by default the deployment in the client could be pushed to one of the apps foldeR?