Our forwarder has the following -
$ cat /opt/splunk/splunkforwarder/etc/system/local/deploymentclient.conf
[target-broker:deploymentServer]
targetUri = prod deployment server:8089
However, it sends data to dev. How come?
deploymentclient.conf doesn't configure outputs. But it does tell the forwarder where to get other configurations from, which likely means the deployment server it's pointed to is sending it an app with outputs.conf configured to send to dev. Or it could be that outputs.conf was manually configured on that forwarder to send to dev.
Run:
./bin/splunk btool outputs list --debug
To determine what your current outputs configuration looksl ike, and which files define that configuration.
deploymentclient.conf doesn't configure outputs. But it does tell the forwarder where to get other configurations from, which likely means the deployment server it's pointed to is sending it an app with outputs.conf configured to send to dev. Or it could be that outputs.conf was manually configured on that forwarder to send to dev.
Run:
./bin/splunk btool outputs list --debug
To determine what your current outputs configuration looksl ike, and which files define that configuration.
Gorgeous @micahkemp
look at outputs.conf
where you have configured data forwarding to maybe dev.
deploymentclient.conf
would not help to troubleshoot that.
Also look at inputs.conf
file on the forwarder.
Great - thank you!
The server that is sending data to dev, whats the output.conf
file look like?
Another possibility is your routing data via transforms.conf
Perfect - output.conf
it is ; -)