Distributed Deployment Manual

 


Example: add an input to forwarders

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Example: add an input to forwarders

The previous topic, "Extended example: deploy several forwarders", described setting up a deployment environment to manage a set of universal forwarders. It showed how to configure a new deployment server to deploy content to a new set of deployment clients. The current example follows on directly from there, using the configurations created in that topic. It shows how to update a forwarder configuration file and deploy the updated file to a subset of forwarders, defined by a server class.

Overview of the update process

This example starts with the set of configurations and Splunk instances created in the topic "Extended example: deploy several forwarders". The Linux universal forwarders now need to start monitoring data from a second source. To accomplish this, perform these steps on the deployment server:

1. Edit the inputs.conf file for the Linux server class to add the new source, overwriting the previous version in its apps directory.

2. Use CLI to reload the deployment server, so that it becomes aware of the change and can deploy it to the appropriate set of clients (forwarders).

You need make changes only on the deployment server. When the deployment clients in the Linux server class next poll the server, they'll be notified of the new inputs.conf file. They'll download the file, enable it, restart Splunk, and immediately begin monitoring the second data source.

Detailed configuration steps

On the deployment server:

1. Edit $SPLUNK_HOME/etc/deployment-apps/linmess/default/inputs.conf to add a new input:

    [monitor:///var/log/messages]
    disabled=false
    sourcetype=syslog    

    [monitor:///var/log/httpd]
    disabled=false
    sourcetype = access_common

2. Use Splunk CLI to reload the deployment server:

    ./splunk reload deploy-server -class Fflanda-LINUX

Once this command has been run, the deployment server notifies the clients that are members of the Fflanda-LINUX server class of the changed file. Since the change doesn't affect the Fflanda-WIN server class, its members don't need to know about it.

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!