Deployment Architecture

Changing an existing Splunk Forwarder into a deployment client

himynamesdave
Contributor

I have an existing Splunk Forwarder currently forwarding data to an indexer.

I have a new deployment server I want to connect Splunk Forwarder to as deployment client.

Should I need to know anything before pointing Splunk Forwarder at deployment server? I cannot find any warnings in the docs. Will this interrupt current forwarding rules (and apps) currently installed on Forwarder?

0 Karma
1 Solution

woodcock
Esteemed Legend

There is no mention in any of the documentation about (warning against) the problems with losing file permissions (executable bit) if you use a Windows-hosted Deployment Server to push configurations to *Nix-based Deployment Clients. I just had another client bitten by this and the warning should definitely be in the docs, probably multiple places. See these:

https://answers.splunk.com/answers/70039/windows-deployment-server-to-nix-deployment-client-permissi...
https://answers.splunk.com/answers/4460/application-scripts-not-executable-when-deployed-via-deploym...
https://answers.splunk.com/answers/463274/deploy-unix-scripts-from-a-windows-deployment-serv.html

Bottom line: Best practice is to NEVER deploy DS on Windows (unless you are absolutely certain that you will never have any *Nix DCs). This is not mentioned anywhere.

To make your forwarder a Deployment Client is just to run this command:

/opt/splunkforwarder/bin/splunk set deploy-poll YourServerHere:8089 --accept-license --answer-yes --auto-ports --no-prompt -auth admin:changeme

View solution in original post

0 Karma

woodcock
Esteemed Legend

There is no mention in any of the documentation about (warning against) the problems with losing file permissions (executable bit) if you use a Windows-hosted Deployment Server to push configurations to *Nix-based Deployment Clients. I just had another client bitten by this and the warning should definitely be in the docs, probably multiple places. See these:

https://answers.splunk.com/answers/70039/windows-deployment-server-to-nix-deployment-client-permissi...
https://answers.splunk.com/answers/4460/application-scripts-not-executable-when-deployed-via-deploym...
https://answers.splunk.com/answers/463274/deploy-unix-scripts-from-a-windows-deployment-serv.html

Bottom line: Best practice is to NEVER deploy DS on Windows (unless you are absolutely certain that you will never have any *Nix DCs). This is not mentioned anywhere.

To make your forwarder a Deployment Client is just to run this command:

/opt/splunkforwarder/bin/splunk set deploy-poll YourServerHere:8089 --accept-license --answer-yes --auto-ports --no-prompt -auth admin:changeme
0 Karma

himynamesdave
Contributor

Ah, good to know. Im running on Linux so should be OK to turn Forwarder into a Deployment Client then? I am worried about current inputs.conf / outputs.conf in search app /local directory being affected by change. So setting Forwarder as Deployment Client this won't be an issue? Thanks for your help!

0 Karma

woodcock
Esteemed Legend

In the beginning, nothing will happen when you connect your forwarder for the DS because you have not staged any apps in the $SPLUNK_HOME/etc/apps/deployment-apps/ directory on your DS so there is nothing to deploy. If you are concerned about Knowledge Objects in the search app, then be sure that you do not put a search app (directory) in the deployment-apps directory on your DS.

0 Karma

himynamesdave
Contributor

Thank you, sir!

0 Karma

himynamesdave
Contributor

To follow up on this, I recently switched our forwarders and encountered one issue: Splunk changed the host value for each forwarder to "ID" with all events, from all forwarders being indexed as host=ID

0 Karma

woodcock
Esteemed Legend

I saw that; that is BUG for SURE. I commented on that other Question, too. I have never seen that before.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...