I want to edit server.conf for around 600 servers, is there anyway we can edit them all at a time.
First of All, you have got large environment as per the information of 600 servers. You should NEVER use $SPLUNK_HOME/etc/system/ location for these kind of activities. Always modularise your apps/configs
Planning your environment is the MOST important thing to administer your splunk environment.
So the best case for you is
1. Create an app as per your org's naming standard (eg MY_PROD_server_configs
)
2. Create "local" directory within it and then "server.conf" within it . Finally it would look like MY_PROD_server_configs/local/server.conf
3. Ensure you have ONLY the "required" stanza in your apps server.conf and push it via your deployment server which manages your Universal forwarders/agents
4. It is advised to have a seprate serverclass app (eg MY_PROD_managed_servers_serverclass/local/serverclass.conf
) to modularise what you want to push and which servers you want to push to etc.
Once pushed, you can control everything centrally via deployment server and future updates etc.
We had a vulnerability scan and we got some vulnerabilities and we would like to clear them, in order to clear that we would like add couple of stanzas to the server.conf.
What are these servers, if those are forwarders maybe with deployment server or by making a ansible playbook to change what ever you're trying to change.
If it is the same thing you're trying to change and the servers are forwarders talking to deployment server then it is easy to do it by deployment server. Or else ansible playbook will be the best way
These are regular windows servers, they are not connecting to deployment server but the problem is they if we push something on deployment server they will get changed in apps/local but i want to change in system/local/server.conf
What is the rationale behind wanting to make the change in system/local and not via a deployment app?
The deployment server is the supported (and easy) way to push changes to large numbers of forwarders - making changes to system/local goes against best practices.
What is your use case?
We did it using deployment server. Thank you.
Then ansible-playbook would be a good idea, if the change is static among all the servers