Getting Data In

Remote administration of inputs.conf on a Windows forwarder.

RVDowning
Contributor

Using 6.01.

I understand that the inputs.conf in /etc/system/local can't be managed from the deployment server. The /etc/system/default/inputs.conf says not to modify that file. I see warnings about remotely administering the search app by using /etc/apps/search/inputs.conf to specify the "monitor" clauses. Ok then, where SHOULD one modify the inputs.conf for management through the deployment server.

What about etc/apps/MSICreated? I see an inputs.conf in etc/apps/MSICreated/local. What is an MSICreated app? Can one arbitrarily put an inputs.conf in this directory?

bshuler_splunk
Splunk Employee
Splunk Employee

Step 1: On your DS, in deployment-apps, create a deployment app which contains the input.conf you desire. Documentation is here: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Createdeploymentapps

Step 2: Remove all reference to the input stanzas on your forwarder. No need to touch anything in default/inputs.conf. Just check the local/inputs.conf

Step 3: Create a Server Class for your forwarder, and associate the app (configuration bundle) with that server class. Documentation is here: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Useforwardermanagement

Step 4: Be sure you set the app to restart splunkd. Documentation here: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Useforwardermanagementtomanageapps#Edit_...

lukejadamec
Super Champion

Bingo. It took me a while to figure that one out myself. It just sounded too easy.

0 Karma

RVDowning
Contributor

Ok, I think I got it. The app name used under deployment-apps is totally arbitrary. Namely, it could be called 'xyz." I hadn't realized that.

0 Karma

lukejadamec
Super Champion

Everyone uses the search app, but that does not mean you need to manage it from a deployment server. In fact, that is probably a very bad idea. If your inputs.conf is located in the search app, then remove it and put it in a new app. With regard to a deployment server an App can be as simple as a the following folder structure:
inputsapp/local/inputs.conf
Put the inputsapp folder in the deployment apps folder, and push it out to your forwarders.

0 Karma

RVDowning
Contributor

We ARE using the search app. So, given that, is there any place to put the inputs.conf such that it can be administered from the deployment server? Or, is this just something that can't be done?

In which case I'll just have to forget about using the deployment server to administer forwarders.

0 Karma

lukejadamec
Super Champion

In the above example, once deployed the inputs.conf would be found in:
splunkhome/etc/apps/TA_Windows_Webservers/local/inputs.conf
I generally don't like to deploy an app with the same name as an app that can be downloaded and installed.
In this example where you are monitoring windows servers, you may find that windows inputs are also configured in other apps, like MSICreated/local. There should be no conflicting inputs.conf on any system.
Deployment servers are great because you can manage everything from one place, but the initial setup can take time.

0 Karma

lukejadamec
Super Champion

You would put the inputs.conf in your app.

Do not use the search app.
Lets say for example you wanted to monitor windows events and use the TA_Windows app to do it, because that is pretty much what it is designed for. And lets say that you want to manage that App for a central location - Deployment Server.
What I do is install the TA_Windows App on a windows server and configure it to collect the logs that I want. I then cut that app from the server, and put it in my Deployment Apps folder on the Deployment Server and rename it to something like TA_Windows_Webservers.

0 Karma

bshuler_splunk
Splunk Employee
Splunk Employee

That is literally step 1. You will be creating your own app. It will start out on your Deployment Server. Your inputs.conf will be located in $SPLUNK_HOME/etc/deployment-apps/my_cool_app/local/inputs.conf

RVDowning
Contributor

This seems to be a canned response which I don't think is responsive to my question. The users are using the search app. The documentation says:

"Warning: Because of this behavior, you should be extremely cautious before deciding to use the deployment server to manage the Splunk Enterprise search app."

Therefore, the question remains, where can I put the inputs.conf so that I can manage it from the deployment server. I can't use /etc/system/local, /etc/system/default/, /etc/apps/search/local (according to the quote above). So, can one arbitrarily use /etc/apps/MSICreated/local?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...