Getting Data In

Forwarder Management - Where to place configuration files to get updated?

colbymahan
Explorer

I have tried to follow the documetation for creating directories and adding the apps, etc.. All I want to do is be able to make a change to inputs.config and outputs.config without having to visit the remote machines. The forwarders are installed and pointing to the main server. One of them even checked in and supposedly updated the APP, however it is not working and the files copied are in a strange location, not mirroring the server side.

I have placed folders with the files I want to update on the forwarders in the following server location. C:\Program Files\Splunk\etc\deployment-apps\MYConfig1 and C:\Program Files\Splunk\etc\deployment-apps\Myconfig2 In those folders are default and local folders, the local folder was created by default and has lock on it and not shared. I tried placing the files in both locations with no change in result.

On the client side, the following is what gets "updated"

In C:\Program Files\SplunkUniversalForwarder\etc*deployment-apps* folder there is nothing. In the C:\Program Files\SplunkUniversalForwarder\etc*apps* folder the Myconfig1 folder does show up with its files. They just don't get used.

In fact, the normal C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf file also appears to have no effect either. I have blanked it out and I still get the inputs that were specified at install in the gui being sent to my indexer.

What is the expected behavior for where to place on the server, where it copies to on the forwarder, and where to check when it does not work?

0 Karma

skender27
Contributor

Hi,

I put the conf files in the $SPLUNK_HOME\etc\deployment-apps\<my_app>\default
Then, after the deploy, you will see the 'local' folder autocreated.

Hope it helps,
Skender

0 Karma

colbymahan
Explorer

Thanks. "- if the inputs are not working, use the btool command on them to check the configuration precedence, maybe you have a conflict."

I think this was the concept i needed. I got a forwarder on a different client to work and update. I am going to remove and reconfigure the first forwarder, as i think I had somehow created a conflict while struggling with it the first time. The btool output showed that my configs were in there, but i think they were overridden by another file I might have borked while troubleshooting.

0 Karma

yannK
Splunk Employee
Splunk Employee

My advice :
- reset the SplunkUniversalForwarder on your forwarders to the original one (including the defaults)
- create an app dedicated to your input
- use the deployment-server to push just this one
- make sure that the forwarders restarts
- if the inputs are not working, use the btool command on them to check the configuration precedence, maybe you have a conflict.

see
http://docs.splunk.com/Documentation/Splunk/6.0.1/admin/Wheretofindtheconfigurationfiles

http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

0 Karma

yannK
Splunk Employee
Splunk Employee

If you want to erase the existing one, yes.

but it's easier to create your own app and push it. It will survive better the upgrade of different instances to different versions. (with a new version of the SplunkUniversalForwarder, and all the defaults that come with it)

0 Karma

colbymahan
Explorer

Does my "app" need to be called SplunkUniversalForwarder so it matches the "app" that i am trying to update? I'm not really adding an "app" I am simply trying to push the my custom inputs.conf and outputs.conf of the basic forwarder component. I guess that's what I am not understanding. How does it know to apply the conf files universally rather than just when dealing with a certain "app"?

0 Karma

colbymahan
Explorer

My assumpption is that the forwarder reads the inputs.config in the default folder and then adds whatever you put in the local version and or the apps version. This isn't happening. Note that this server is a free version I am testing before moving my enterprise licensing over. I saw a not that the free version does not support deployment server, but it sure seems like it is trying to work..

0 Karma

colbymahan
Explorer

OK it looks like they get pushed to the appropriate place as you described. The issue is that they are not taking effect or are overridden. Blanking out the inputs.config in the system/local folder which normally is the one i would edit, does not change the functions at all. On installation I had selected the security,app, and system event logs and added the path to monitor iis logs. The updated config i sent from the deployment server only has inputs for system and app enabled and has the security set to disabled=0 no other entries.

0 Karma

yannK
Splunk Employee
Splunk Employee

put the apps to deploy on the deployment server (so a real splunk instance)
in the folder $SPLUNK_HOME\etc\deployment-apps

Once deployed to the deployment-clients, they will be copied in the $SPLUNK_HOME\etc\apps\ and overwrite the existing ones.

0 Karma

colbymahan
Explorer

See responses to answer above. Thanks.

0 Karma

lukejadamec
Super Champion

Apps pushed from the server to the forwarder are supposed to get pushed too splunkuniversalforwarder\etc\apps\.
On the server, they are in the deployment-apps folder, but on the forwarder they in the apps folder.
If there is a conflicting inputs.conf file on the forwarder then it can cause you deployed app to be ignored. Input.conf files with conflicting instructions are used according to the ascii search of the file structure.
Which inputs are you getting that you want to stop?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...