Splunk® Enterprise

Updating Splunk Enterprise Instances

Download manual as PDF

Download topic as PDF

Example: Add inputs to forwarders

The previous topic, "Extended example: Deploy configurations to several forwarders", described setting up a deployment environment to manage a set of universal forwarders. It showed how to configure a new deployment server to deploy content to a new set of deployment clients. The current example follows on directly from there, using the configurations created in that topic. It shows how to update a forwarder configuration file and deploy the updated file to a subset of forwarders, defined by a server class.

Overview of the update process

This example starts with the set of configurations and Splunk Enterprise instances created in the topic "Extended example: Deploy configurations to several forwarders". The Linux universal forwarders now need to start monitoring data from a second source. To accomplish this, perform these steps on the deployment server:

1. Edit the inputs.conf file for the Linux server class to add the new source, overwriting the previous version in its apps directory.

2. Reload the deployment server, so that it becomes aware of the change and can deploy it to the appropriate set of clients (forwarders).

You make changes only on the deployment server. When the deployment clients in the Linux server class next poll the server, they'll be notified of the changed inputs.conf file. They'll download the file, enable it, restart splunkd, and immediately begin monitoring the second data source.

Detailed configuration steps

On the deployment server:

1. Edit $SPLUNK_HOME/etc/deployment-apps/linmess/default/inputs.conf to add new inputs:


sourcetype = access_common

2. Reload the deployment server:

splunk reload deploy-server 

Once this command has been run, the deployment server notifies the clients that are members of the Fflanda-LINUX server class of the changed file. They'll download the file, enable it, restart splunkd, and immediately begin monitoring the second data source.

Extended example: Deploy configurations to several forwarders

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5


Hi,<br />As you specified that inputs.conf settings in /system/local on the forwarder override settings in any app directories so we should ask user to delete files from system/local and going forward all config will be managed from app/local? Everybody has their configuration in system/local, how we should mange that?<br /><br />Thanks

September 25, 2014

Rameshpatel: No. In the case of inputs.conf, settings in /system/local on the forwarder override settings in any app directories. <br /><br />The Splunk configuration system combines the settings for all copies of a conf file. If the same attribute is set in two copies, the conflict is resolved according to an order of precedence, as described here:<br /><br />http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

November 27, 2013

If I already install inputs.conf in splunk_home/system/local/ folder then this new changes from deployment server will override ?

November 27, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters