Splunk® Enterprise

Updating Splunk Enterprise Instances

Example: Add inputs to forwarders

The previous topic, Extended example: Deploy configurations to several forwarders, described setting up a deployment environment to manage a set of universal forwarders. It showed how to configure a new deployment server to deploy content to a new set of deployment clients. The current example follows on directly from there, using the configurations created in that topic. It shows how to update a forwarder configuration file and deploy the updated file to a subset of forwarders, defined by a server class.

Overview of the update process

This example starts with the set of configurations and Splunk Enterprise instances created in the topic Extended example: Deploy configurations to several forwarders. The Linux universal forwarders now need to start monitoring data from a second source. To accomplish this, perform these steps on the deployment server:

1. Edit the inputs.conf file for the Linux server class to add the new source, overwriting the previous version in its apps directory.

2. Reload the deployment server, so that it becomes aware of the change and can deploy it to the appropriate set of clients (forwarders).

You make changes only on the deployment server. When the deployment clients in the Linux server class next poll the server, they'll be notified of the changed inputs.conf file. They'll download the file, enable it, restart splunkd, and immediately begin monitoring the second data source.

Detailed configuration steps

On the deployment server:

1. Edit $SPLUNK_HOME/etc/deployment-apps/linmess/default/inputs.conf to add new inputs:

[monitor:///var/log/messages]
disabled=false
sourcetype=syslog    

[monitor:///var/log/httpd]
disabled=false
sourcetype = access_common

2. Reload the deployment server:

splunk reload deploy-server 

Once this command has been run, the deployment server notifies the clients that are members of the Fflanda-LINUX server class of the changed file. They'll download the file, enable it, restart splunkd, and immediately begin monitoring the second data source.

Last modified on 09 December, 2024
Extended example: Deploy configurations to several forwarders  

This documentation applies to the following versions of Splunk® Enterprise: 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters