- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Set the tcpout server via the CLI at installat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im using powershell to install universal forwarders on the new machines that im spinning up using the following command:
cmd /c "msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER='simdc01:9997' MONITOR_PATH='c:\logs' PERFMON=cpu,memory,network,diskspace /quiet"
But this does not create an outputs.conf file containing the tcp settings so im doing this in powershell to manually create the file needed
$outputsConfString = @"
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = simdc01:9997
"@
New-Item "C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf" -type file -force -value $outputsConfString
My question is, is there a way to do this via the CLI or am i stuck with this hack?
It feels wrong to have to hack files in this way when there is tooling provided to automate things.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should do the trick.
./splunk add forward-server <indexer>:port -auth admin:password
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/CLIadmincommands
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have a lot of forwarders best to push configs with a deployment server. This approach let's you keep all your configs in one place. I even use the DS to manage multiple indexers.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Aboutdeploymentserver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should do the trick.
./splunk add forward-server <indexer>:port -auth admin:password
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/CLIadmincommands
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Spot on, thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok tried it myself with the file splunkforwarder-6.2.1-245427-x64-release.msi and the following command:
msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi RECEIVING_INDEXER="foo:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet
this adds in $SPLUNK_HOME/etc/system/local/outputs.conf this entry:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = foo:9997
[tcpout-server://foo:9997]
Maybe you need to download a fresh copy of the msi or you found a bug 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you should be able just to provide the RECEIVING_INDEXER http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/RemotelydeployaWindowsdfwithastaticconf... during initial install as well ... but it is not honored in this case....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as you can see from my example command line in the question RECEIVING_INDEXER is there, but it does not work... none of the outputs.conf files are modified with that switch. which is what has lead me to ask this question.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
