Splunk® Enterprise

Updating Splunk Enterprise Instances

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Create server classes

A server class maps a group of deployment clients to one or more deployment apps. By creating a server class, you are telling the deployment server that a set of clients should receive updates in the form of a set of apps.

Ways to group clients

A client grouping can be based on a variety of criteria, such as machine type, OS, geographical area, or application type.

A client can belong to multiple server classes. For example, a Windows forwarder located in Kelowna and providing information to the Web hosting team might belong to three server classes: "canada", "windows", and "web_host". This diagram shows how clients can span multiple server classes:

Deployment2-small 60.png

In this example, each deployment client is a Splunk Enterprise forwarder that belongs to two server classes, one for its OS and the other for its geographical location. The deployment server maintains the list of server classes and uses those server classes to determine what content to distribute to each client. For an example of how to implement this type of arrangement to govern the flow of content to clients, see "Deploy configurations to several forwarders".

Another common way to group clients is to define one server class that applies to all deployment clients by default. You can then override various aspects of it as needed by defining more specific server classes for subgroups of clients. For example, if you have a mix of Windows and Linux universal forwarders sending data to the same indexer, you can specify that all forwarders get a common outputs.conf file, but that Windows forwarders get one inputs.conf file while Linux forwarders get a different one. To implement this, you can define an "all forwarder" server class that distributes a deployment app containing a common outputs.conf file to all forwarders, while also defining Windows and Linux server classes that distribute separate apps containing different inputs.conf files to the appropriate subsets of forwarders.

Overview of server class configuration

A server class is a mapping between deployment clients and apps. It tells the deployment server which apps to send to which clients. Therefore, when you define a server class, you associate one or more apps with a group of deployment clients.

You define server classes on the deployment server with these steps:

1. Create the server class.

2. Specify one or more deployment apps for the server class.

3. Specify the clients that belong to the server class.

This section provides an overview of these steps. The specifics of the configuration process depend on the method you use to create the server class: the forwarder management interface or direct editing of serverclass.conf. See "Ways to define server classes".

1. Create the server class

Create and name the server class through the forwarder management interface or directly in serverclass.conf.

Important: Server class names must be unique.

2. Specify apps for the server class

Once you've created the server class, you need to associate deployment apps with it. These are the apps that you earlier created on the deployment server's file system, as described in "Create deployment apps". There is not necessarily a one-to-one correspondence between server classes and apps. Rather, a single server class can include several apps. Similarly, one app can belong to multiple server classes.

3. Specify clients for the server class

Next, you need to associate clients with the server class. You do not ordinarily specify clients individually. Instead, you set up filters that dynamically determine which clients belong to the server class, based on common identifiable characteristics.

Ways to define server classes

You define server classes on the deployment server. Server class definitions are saved in the deployment server's serverclass.conf file. There are two ways to define server classes:

Important: Once you edit serverclass.conf directly, you will probably not be able to use the forwarder management interface for subsequent configuration. This is because forwarder management can handle only a subset of possible configurations. For details on what serverclass.conf changes are compatible with forwarder management, see the topic "Compatibility and forwarder management".

The serverclass.conf file

The serverclass.conf file is the key deployment server configuration file. All server class definitions get written to that file. In addition, it holds a number of other settings related to the functioning of the deployment server. For a detailed description of that file, including a list of all configuration attributes, read the serverclass.conf specification file.

For background information on Splunk Enterprise configuration files, read "About configuration files" in the Admin Manual.

When the forwarder management interface configures server classes, it writes the definitions to a copy of serverclass.conf. You can also edit serverclass.conf directly, and you might need to do so for some complex configurations.

The deployment server can have multiple versions of serverclass.conf. When there are multiple versions of a configuration file, Splunk Enterprise follows a defined process for merging the attributes from all the versions. For details on the order of precedence that Splunk Enterprise uses, read "Configuration file precedence" in the Admin Manual.

When you use forwarder management to create a new server class, it saves the server class definition in a copy of serverclass.conf under $SPLUNK_HOME/etc/system/local. If, instead of using forwarder management, you decide to directly edit serverclass.conf, it is recommended that you create the serverclass.conf file in that same directory, $SPLUNK_HOME/etc/system/local.

If a server class definition exists in a serverclass.conf file under some other directory (most typically an app directory located at $SPLUNK_HOME/etc/apps/<app_name>/local), the forwarder management interface will still display that server class, along with any other server class definitions located in files elsewhere on the system. If you use forwarder management to edit an existing server class, the interface will save the edits to the same version of serverclass.conf. That is, if you edit a server class that's defined in $SPLUNK_HOME/etc/apps/SomeApp/local/serverclass.conf, forwarder management saves the updated definition back to that same directory. However, if you then use forwarder management to create a new server class, it saves the new server class to $SPLUNK_HOME/etc/system/local/serverclass.conf.

Important: Server class names must be unique across all serverclass.conf files.

Last modified on 15 November, 2013
Create deployment apps   Use forwarder management to define server classes

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters