- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Issue with configuring forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with configuring forwarder
Hi,
I had configured my universal forwarder on production by adding conf files ie. inputs.conf,outputs.conf and deploymentclient.conf in etc/system/local folder.
Now I want to make changes( like monitoring path etc) on conf files through deployment server by using deployment-app.
I tried this scenario in my local but it not overriding my existing configuration and more its monitoring older path as well as newer path. Might it was not orderride but it is merged.
Please suggest me any solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The apps created in the folder $SPLUNK_HOME/etc/deployment-apps on the deployment server, and defined in the serverclass.conf (or in the forwarder manager page) will be deployed to the deployment-clients in $SPLUNK_HOME/etc/apps.
Therefore they will never replace the configs from $SPLUNK_HOME/etc/system/local.
For details about the deployment server, follow the docs
http://docs.splunk.com/Documentation/Splunk/latest/Updating/Aboutdeploymentserver
Check if the apps have been deployed, If you are not sure of the precedence between the configurations, use the btool command to check the result.
precedence rules :
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
btool
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurati...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When it comes to directory monitoring behavior, you cannot override the system\local folder - it has the highest priority - see the link YannK posted.
Correct, if you want to have something controlled by a deployment server, then you should not have placed the configuration in system\local.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for answer.
If we need option of updating confs files from deployment server then we didnot need to add this files in system/local folder. right ?
Or Is there any way to override system/local files from deployment server then please let me know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It not mach different but now i am facing this issue for all conf files.
Please suggest me resolution or best practice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is this different from http://answers.splunk.com/answers/112956/deployment-server-to-forwarder-communication ?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
