Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing an existing Splunk Forwarder into a deployment client

himynamesdave
Contributor
‎03-24-2017 12:30 PM

I have an existing Splunk Forwarder currently forwarding data to an indexer.

I have a new deployment server I want to connect Splunk Forwarder to as deployment client.

Should I need to know anything before pointing Splunk Forwarder at deployment server? I cannot find any warnings in the docs. Will this interrupt current forwarding rules (and apps) currently installed on Forwarder?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-24-2017 12:46 PM

There is no mention in any of the documentation about (warning against) the problems with losing file permissions (executable bit) if you use a Windows-hosted Deployment Server to push configurations to *Nix-based Deployment Clients. I just had another client bitten by this and the warning should definitely be in the docs, probably multiple places. See these:

https://answers.splunk.com/answers/70039/windows-deployment-server-to-nix-deployment-client-permissi...
https://answers.splunk.com/answers/4460/application-scripts-not-executable-when-deployed-via-deploym...
https://answers.splunk.com/answers/463274/deploy-unix-scripts-from-a-windows-deployment-serv.html

Bottom line: Best practice is to NEVER deploy DS on Windows (unless you are absolutely certain that you will never have any *Nix DCs). This is not mentioned anywhere.

To make your forwarder a Deployment Client is just to run this command:

/opt/splunkforwarder/bin/splunk set deploy-poll YourServerHere:8089 --accept-license --answer-yes --auto-ports --no-prompt -auth admin:changeme

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-24-2017 12:46 PM

There is no mention in any of the documentation about (warning against) the problems with losing file permissions (executable bit) if you use a Windows-hosted Deployment Server to push configurations to *Nix-based Deployment Clients. I just had another client bitten by this and the warning should definitely be in the docs, probably multiple places. See these:

https://answers.splunk.com/answers/70039/windows-deployment-server-to-nix-deployment-client-permissi...
https://answers.splunk.com/answers/4460/application-scripts-not-executable-when-deployed-via-deploym...
https://answers.splunk.com/answers/463274/deploy-unix-scripts-from-a-windows-deployment-serv.html

Bottom line: Best practice is to NEVER deploy DS on Windows (unless you are absolutely certain that you will never have any *Nix DCs). This is not mentioned anywhere.

To make your forwarder a Deployment Client is just to run this command:

/opt/splunkforwarder/bin/splunk set deploy-poll YourServerHere:8089 --accept-license --answer-yes --auto-ports --no-prompt -auth admin:changeme
0 Karma
Reply
Solved! Jump to solution

himynamesdave
Contributor
‎03-24-2017 12:51 PM

Ah, good to know. Im running on Linux so should be OK to turn Forwarder into a Deployment Client then? I am worried about current inputs.conf / outputs.conf in search app /local directory being affected by change. So setting Forwarder as Deployment Client this won't be an issue? Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-24-2017 01:19 PM

In the beginning, nothing will happen when you connect your forwarder for the DS because you have not staged any apps in the $SPLUNK_HOME/etc/apps/deployment-apps/ directory on your DS so there is nothing to deploy. If you are concerned about Knowledge Objects in the search app, then be sure that you do not put a search app (directory) in the deployment-apps directory on your DS.

0 Karma
Reply
Solved! Jump to solution

himynamesdave
Contributor
‎03-24-2017 01:51 PM

Thank you, sir!

0 Karma
Reply
Solved! Jump to solution

himynamesdave
Contributor
‎03-27-2017 01:53 PM

To follow up on this, I recently switched our forwarders and encountered one issue: Splunk changed the host value for each forwarder to "ID" with all events, from all forwarders being indexed as host=ID

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-27-2017 05:45 PM

I saw that; that is BUG for SURE. I commented on that other Question, too. I have never seen that before.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...