Example: add an input to forwarders
The previous topic, "Extended example: deploy several forwarders", described setting up a deployment environment to manage a set of universal forwarders. It showed how to configure a new deployment server to deploy content to a new set of deployment clients. The current example follows on directly from there, using the configurations created in that topic. It shows how to update a forwarder configuration file and deploy the updated file to a subset of forwarders, defined by a server class.
Overview of the update process
This example starts with the set of configurations and Splunk instances created in the topic "Extended example: deploy several forwarders". The Linux universal forwarders now need to start monitoring data from a second source. To accomplish this, perform these steps on the deployment server:
1. Edit the
inputs.conf file for the Linux server class to add the new source, overwriting the previous version in its apps directory.
2. Use CLI to reload the deployment server, so that it becomes aware of the change and can deploy it to the appropriate set of clients (forwarders).
You need make changes only on the deployment server. When the deployment clients in the Linux server class next poll the server, they'll be notified of the new
inputs.conf file. They'll download the file, enable it, restart Splunk, and immediately begin monitoring the second data source.
Detailed configuration steps
On the deployment server:
$SPLUNK_HOME/etc/deployment-apps/linmess/default/inputs.conf to add a new input:
[monitor:///var/log/messages] disabled=false sourcetype=syslog [monitor:///var/log/httpd] disabled=false sourcetype = access_common
2. Use Splunk CLI to reload the deployment server:
./splunk reload deploy-server -class Fflanda-LINUX
Once this command has been run, the deployment server notifies the clients that are members of the Fflanda-LINUX server class of the changed file. Since the change doesn't affect the Fflanda-WIN server class, its members don't need to know about it.
Extended example: deploy configurations to several forwarders
Deploy in multi-tenant environments
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18