Deployment Architecture

How to modify configuration of Universal Forwarders from the web interface.

neiljpeterson
Communicator

I feel like this may be a dumb question, but I have scoured the documentation and I must be missing something.

I'm sure there is a way to manage the configuration of a Universal Forwarder from the Splunk web interface, yes?

This page implies that I can deploy the Forwarders with minimum options and depend on the deployment server to configure in inputs.conf and other things on the forwarding host.

This is what I would push out to my servers

msiexec.exe /i splunkuniversalforwarder_x86.msi DEPLOYMENT_SERVER="deploymentserver1:8089" AGREETOLICENSE=Yes /quiet

But then how do I specify the configuration on my deployment server?? I can verify that the server is calling home, but for the life of me I cannot find where/how to say "forward me this, this and this... put the data in this index... throttle to this bandwidth etc" I would like to do this in a bulk fashion for a large number of machines. Is this not a feature of Splunk or am I missing something here?

0 Karma

aholzer
Motivator

You need to do a few things on your selected deployment server before it knows it's a deployment server and before it knows where to send information.

This link shows you the old way of doing things: http://wiki.splunk.com/Deploy:DeploymentServer. It has the cli to enable the deployment server, it has examples for serverclass.conf, and a number of other useful tidbits

In v6.0+ there is a new gui interface for serverclass creation and management. But the above link should get you started.

Hope this helps.

linu1988
Champion

Yes the answer points you to right direction. When you install a forwarder you don't get anything if you don't specify other parameters like RECEIVING_INDEXER etc.. So you need to have a app to push from deployment server to you newly installed forwarder(called the client). The app will tell where to forward by output.conf file.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...