Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Deployment of Splunk TA for windows via deployment server

himapate
Explorer
‎09-14-2016 12:04 AM

Hi ,

We deployed Splunk universal forwarder through sccm which had the sendtoindexer app pointing to indexer and deployment server set. On deploying it we found out that there is a inputs.conf getting created in local folder with only the hostname.
Using a batch file we appended the inputs.conf host data form system/local to Splunk-TA-Windows/local/inputs.conf and deleted the inputs.conf and restarted splunkd. All worked fine.
Now we have the Splunk-TA-Winodws deployed through deployment servrer, when the client phones home it removes the hostname as there and keeps the conf file present in the deployment app?
How can i add the host details in splunk without getting it override ?
I have 100 servers in all and want the hostname of each present in the inputs.conf of the TA ?

0 Karma
Reply

ktugwell_splunk
Splunk Employee
Splunk Employee
‎09-14-2016 01:25 AM

Hey himapate,

Upon installation of Splunk, an inputs.conf file will get created to give a host name in the default stanza. This is so the forwarder, if host configuration is not set at an app level, can tell the indexers who they are. Further reading for file precedence might be helpful here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

What I'd suggest you do here is move away from changing configuration files using batch as, if SCCM allows it, there's an easier way to do a packaged install using a few command line switches. Take a look here: http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/InstallaWindowsuniversalforwarderfro...

So, you'd probably want to instruct SCCM to install splunk in quiet mode, agree to the license, and handshake with your deployment server, like so:

DEPLOYMENT_SERVER="<host:port>" AGREETOLICENSE=yes /quiet

Note: You may not need to add the /quiet switch as I think SCCM automatically applies /q to all packages. Give it a try.

Then, when your forwarder connects to the Deployment Server, you can create server classes to sent the forwarder the sendtoindexer app, and the Splunk_TA_Windows app.

I hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...