Deployment Architecture

Deploy limits.conf for Splunk Universal Forwarder?

jcleary47
Path Finder

We are trying to deploy limits.conf to all of our endpoints to here:

C:\Program Files\SplunkUniversalForwarder\etc\apps\local

The problem is, I don't see an app for SplunkUniversalForwarder on our Deployment Server... It's not in /etc/apps or /etc/deployment-apps

Do I need to create a "SplunkUniversalForwarder" app in the deployment-apps directory on the Deployment Server where our other deployed apps reside, and just create the local folder with the inputs.conf I want to use in there and deploy it like any other app?

I would have thought if the SplunkUniversalForwarder app is on the local machines, there would already be an app for it somewher eon the deployment server...

Tags (1)

koshyk
Super Champion

The best way to handle this is
1. Create a specific app eg: MY_LIMITS_APP and create local/limits.conf within this app
2. put the stanza and value you need in MY_LIMITS_APP/local/limits.conf
3. Update your serverclass to push MY_LIMITS_APP to your Universal Forwarders

Everything should be good and you can control all your limits via this app afterwards and is modular

PS: In case if something is not working, run a btool in your UF to see if the limits.conf stanza from your app is being picked up
$SPLUNK_HOME/bin/splunk cmd btool limits list --debug

jcleary47
Path Finder

Just so I understand, and to clarify - the limits.conf file I want to deploy is supposed to (according to Splunk Support) go into this directory on all of our endpoints:

C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf

If I create a new app with the limits.conf that I want to use, won't it only apply to data going through the forwarder for that app I create?

I was under the impression to create this:
C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf

I would have to have an app on the deployment server called SplunkUniversalForwarder to get it to deploy to that location.

But it sounds like you are saying the SplunkUniversalForwarder will use the limits.conf value from any app that is on the endpoint that has one in it's local folder?

0 Karma

koshyk
Super Champion

It is much simpler than you think. Just create your own app, put the limits.conf in your app and in serverclass, put the wildcard whitelist in deployment-server for of your APP to all UF clients and should go perfectly. and You then have full control and naming standards for your organisation

0 Karma

ddrillic
Ultra Champion

-- But it sounds like you are saying the SplunkUniversalForwarder will use the limits.conf value from any app that is on the endpoint that has one in its local folder?

Absolutely - and you can't control from the deployment server the C:\Program Files\SplunkUniversalForwarder\etc\apps\local\limits.conf file and therefore you should follow the solution prescribed by @koshyk ; -)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...