Hi,
I have defined a forwarder. This forwarder was configured to send its logs to an indexer for testing purposes. Do you know why when I run search, it thinks its a deployment server/client, but is NOT assigned this server role to it?
Search
index=_internal host="host1" source="*var/log/splunk/splunkd.log" sourcetype=splunkd DS_DC_Common
Output
5/11/16 6:36:41.866 AM 05-11-2016 06:36:41.866 -0400 INFO DS_DC_Common - Deployment Server|Client initialized successfully.
host = host1
source = /opt/splunk/fwdr/var/log/splunk/splunkd.log
sourcetype = splunkd
If any Splunk instance has a serverclass.conf
file, it will think that it is a Deployment Server
. Delete that file.
ok. thanks. The only issue I see with deleting this file on a non-deployment server that I get this message everytime I restart splunk:
Validating installed files against hashes from '/opt/splunk/fwdr/splunk-6.4.0-f2c836328108-linux-2.6-x86_64-manifest'
Could not open '/opt/splunk/fwdr/etc/system/default/serverclass.conf': No such file or directory
Problems were found, please review your files and move customizations to local
All preliminary checks passed.
is there a setting inside serverclass.conf that to indicate it is not participating as deployment server that I can put in the local/serverclass.conf?
What version of Splunk you're using? Did you install the Splunk Universal forwarder OR used Splunk Enterprise and configured it as forwarder?