Splunk Enterprise

Edit the Inputs.conf of 20(universal forwarder) using Deployment Server

jadengoho
Builder

Is there a way I can edit the input.conf of (20)Universal Forwarder just using a Deployment server.
If yes, can you please help me.

Tags (1)
0 Karma

xpac
SplunkTrust
SplunkTrust

As always, "it depends".
If the existing inputs.conf is located in etc/system/local/ (or worse, etc/system/default/), you cannot modify it via Deployment server, because DS only deploys to the etc/apps/ directory. (besides some rather ugly hacks using scripted inputs)
If you however have an inputs.conf in an app, you can simply recreate that app on the DS in etc/deployment-apps/yourapp and then distribute it to the forwarders (assuming you configured the DS IP/hostname with those forwarders).
Be aware that you need to recreate the whole app before distributing it via DS, because all files in that app that only exist on the Forwarder, but not the DS will be removed.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

FrankVl
Ultra Champion

Yes you can.

In short, you need to:

  • Ensure the UFs are deployment clients of the DS
  • create an app with the respective inputs.conf content
  • put the app into the deployment-apps folder on the DS
  • On the DS: create a server class that holds the respective forwarders, then associate the app with that server class, to deploy it to the forwarders

If you're new to that, I'd suggest you take a look at the Deployment Server documentation: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver

PS: if with "edit" you literally mean edit an existing inputs.conf file on the UFs, @xpac has some very important comments in his answer.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...