Hi @Splunk & Machine Learning , I have one question after that I pulled my deployment server, unfortunately I could not see any client from HF and UF to DS, could you please help me regarding this issue?
Hello, I'm following your example on setting up the deployer, my question is when you setup your default directory for the fwd_to_receiver , if you're running a cluster index, do I list all three ip addresses for there server?
Sir Here the logs are coming to main index (index=main) if we would like to receive the logs on different index which is created newly for these two hosts
This is such a great video which I've watched a couple of times and only the second time does it all click into place! :) My only question is, so much of the Splunk documentation always suggests that no manual changes should be made to the default folder, only the local folder, would the end result have been the same if the files were added to the local folder in the deployment server? Please keep up the good work!!!!
@@splunk_mlso why use the default folder when you know it’s good practice to place the configs in the local folder? I was confused by this choice as well lol
Thanks for your video. it's helping me a lot . I have followed the process, and have 1 issue. post creation of deployment client.conf file and restart. It should automatically connect with DS , under forwarder management --> client tab, but its not working for me. in any of the UF,HF, or windows. is there any access issue or anything else? please advice
I have a question, let's say I have a 20 UF with no Deployment server. I'm trying to get 10 more UF plus one deployment server to connect all of 30 UF. So should I go to each UF to configure deploymentclient.conf in all those 30 UF? It's true that the deployment server will push serverclass and deployment apps and also other configurations to all those UF. But is there any way to configure the deploymentclient.conf from the deployment server and push to all those 30 UF. wanted to put this in an email, but it may clear others' doubts as well if it is here.
Very tricky question, I can think about couple of solutions here, 1. First of all our deploymentclient.conf resides in etc/system/local folder. Now I can create an app with just deploymentclient.conf and deploy it thru deployment server to all UF. in that case we need to delete the system /local deploymentclient.conf file from each UF, which is again not fully automated. 2. We can create a python script which will update the deploymentclient.conf in system/local and we can deploy that python script as scripted input in all UF through deployment server. Only thing we have to handle here is the splunk restart part in python script. Then it will become fully automated. I will try to create a video for this.
@@splunk_ml Yes, we can create an app in deployment-apps and call that app in serverclass will go to all UF. Do you think it will override the configs in UF (system/local/deploymentclient.conf) when we push this app to all UF.? Thanks for taking the time to reply. #respect
It won't override because deployment server will deploy the app in etc/apps folder. That's why we need to delete the deploymentclient.conf in system/local folder so that our etc/apps version will take precedence.
When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local. I just read this in splunk docs, that means no need to empty local file if apps directory has the file it might have precedence
you just needs to install forwaders there and send the logs to splunk. Check this post, answers.splunk.com/answers/34896/simple-installation-script-for-universal-forwarder.html
If you are developing your own app its always good to have your out of the box configs in default folder so that when you update something it will not impact the user changes in local folder (if any).
Hi Leo, Yes you can deploy apps through deployment server to cluster master, please find below the reference link, I will also cover it soon. docs.splunk.com/Documentation/Splunk/8.2.3/Indexer/Updatepeerconfigurations#Use_deployment_server_to_distribute_the_apps_to_the_manager_node Sid
Thank you for these videos - very informative and helpful! Got one question if you don't mind - what is the difference in between the "local" folder and "default" folder when we need to put a .conf file in to an app?😀
I will try to explain with an example, lets say the app you are building you created a .conf file for the setup. Now intially when you will package the app there will not be any user defined values for the configs in your conf file but when a user will setup the app he/she will give values to those configs according to his/her need, So in the initial package your conf file should be in default folder and generally user sshould not touch that ,as you are the creator of that app and if you see that is the reason splunk also recommends not to touch the default folder configs. Now when users will do the setup the change will be saved (if you are the creator of the app you need code it) in the local folder for same conf file and as local folder will get higher precedence over default folder splunk will automatically take the updated configs in local folder. Hope I didn't confuse you :)
I have a requirement where I need to monitor few log files in a folder (say there are 50 files in that folder) and if 1 of the files get removed by th system I need an alert. That alert should also tell me the name of the file which got removed. Can you please help me on it how to set up that monitoring in splunk?
I'm able to successfully pull the app in UF which contains inputs.conf and outputs.conf however they are either not monitoring data or not sending it, I've checked all the ports which are open and fine, there is nothing in /etc/system/local, inputs and outputs file are written appropriately as well thing is I can't see anything in search head with index=_internal with thus UF as well
Can you see in _internal index where you are receiving any connectivity error from UF? Also if you are using the same GCP setup I used in this video can you check the firewall rule whether you have allowed TCP traffic for those ports?
@@splunk_ml I don't see anything under _internal index and firewalls are open as well, can u provide ur mail id??Apart from this I've got other high level questions as well, may be mailbox is right place to address those
Hi I am trying to move the reporting of some servers from a test deployment server to prod deployment server. So is it possible to push it from the uat deployment server to UF agents to report to prod deployment server ? Have you tried anything like this ?
Hi @Splunk & Machine Learning, Thanks for the video. It is really very well explained. But i have heard a term about client phone home and phone home interval in deployment server concept. Do you have any idea about those.
client phone home and interval is just term stating whether the deployment clients are polling the deployment server and how frequently they are polling. These settings are present in deploymentclient.conf file.
@@splunk_ml In video when you created deploymentclient.conf there was no attribute for phone home. So do we need to define those settings in deploymentclient.conf or will there be default value there??
Sid you mentioned in your lecture that Deployment Server cannot be used with Splunk Cluster. Does it mean A) Deployment server cannot be configured on a cluster member or B) Splunk Cluster members cannot be clients of the Deployment server?
Hello Alex, I meant the below, A cluster manager node and a deployment server both consume significant system resources while performing their tasks. The manager node needs reliable and continuous access to resources to perform the ongoing management of the cluster, and the deployment server can easily overwhelm those resources while deploying updates to its deployment clients. For most deployments, the deployment server must run on a dedicated Splunk Enterprise instance that is not serving as an indexer or a search head. The exception is if the deployment server has only a small number of clients, 50 or less. Under those limited circumstances, it is possible for an indexer or search head to double as a deployment server. Alternatively, you can host any one of these management components on a deployment server, but only if the deployment server has 50 or less clients: License master Monitoring console Search head cluster deployer
I am getting the below warning when i try to poll the forwarder to deployment server Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Thank You for very specific and "user firendly" explanation of such a complex topic. Learning with Your videos is really enjoyable.
Hello Sir, I am huge fan of your. Please create all the same play list in Hindi. That would be a game change for millions of students. Thank you
Thank you my friend... you are doing good service to the techies.. and that too on hot product like Splunk.... Expecting more support .. thank you .
Hi @Splunk & Machine Learning , I have one question after that I pulled my deployment server, unfortunately I could not see any client from HF and UF to DS, could you please help me regarding this issue?
your videos helping me a lot much appreciate. 👌
Sir, you're a lifesaver, truly.
Hello, I'm following your example on setting up the deployer, my question is when you setup your default directory for the fwd_to_receiver , if you're running a cluster index, do I list all three ip addresses for there server?
As usual.. The Best.
Sir
Here the logs are coming to main index (index=main) if we would like to receive the logs on different index which is created newly for these two hosts
Request to Pls upload a video on deploying app updates / configuration bundles in a Clustered environment
HI Sid,
I have to create a syslog data input using TCP port to 5 heavy forwarder. How can i do it from deployment server? Can you please help
This is such a great video which I've watched a couple of times and only the second time does it all click into place! :)
My only question is, so much of the Splunk documentation always suggests that no manual changes should be made to the default folder, only the local folder, would the end result have been the same if the files were added to the local folder in the deployment server?
Please keep up the good work!!!!
yes it will be same.
@@splunk_mlso why use the default folder when you know it’s good practice to place the configs in the local folder? I was confused by this choice as well lol
Really appreciate your great work
Hello sir, I found you used the public IP address. I would like to know what further steps are involved using private IP address. Thanks
Thanks for your video. it's helping me a lot .
I have followed the process, and have 1 issue. post creation of deployment client.conf file and restart. It should automatically connect with DS , under forwarder management --> client tab, but its not working for me. in any of the UF,HF, or windows. is there any access issue or anything else? please advice
can you please tell ua in windows how to configure deployment server universal forwarder and heavy forwarder
Very good video, thank you very much.
I have a question, let's say I have a 20 UF with no Deployment server. I'm trying to get 10 more UF plus one deployment server to connect all of 30 UF. So should I go to each UF to configure deploymentclient.conf in all those 30 UF? It's true that the deployment server will push serverclass and deployment apps and also other configurations to all those UF. But is there any way to configure the deploymentclient.conf from the deployment server and push to all those 30 UF.
wanted to put this in an email, but it may clear others' doubts as well if it is here.
Very tricky question, I can think about couple of solutions here,
1. First of all our deploymentclient.conf resides in etc/system/local folder. Now I can create an app with just deploymentclient.conf and deploy it thru deployment server to all UF. in that case we need to delete the system /local deploymentclient.conf file from each UF, which is again not fully automated.
2. We can create a python script which will update the deploymentclient.conf in system/local and we can deploy that python script as scripted input in all UF through deployment server. Only thing we have to handle here is the splunk restart part in python script. Then it will become fully automated. I will try to create a video for this.
@@splunk_ml Yes, we can create an app in deployment-apps and call that app in serverclass will go to all UF. Do you think it will override the configs in UF (system/local/deploymentclient.conf) when we push this app to all UF.?
Thanks for taking the time to reply. #respect
It won't override because deployment server will deploy the app in etc/apps folder. That's why we need to delete the deploymentclient.conf in system/local folder so that our etc/apps version will take precedence.
@@splunk_ml Got it, sir..! Thanks
When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local.
I just read this in splunk docs, that means no need to empty local file if apps directory has the file it might have precedence
Thanks for the video. I have a Splunk cloud environment. How do I configure a server to collect logs from about 5000 workstations? Thanks
you just needs to install forwaders there and send the logs to splunk.
Check this post,
answers.splunk.com/answers/34896/simple-installation-script-for-universal-forwarder.html
Plz share vedios about splunk fundamentals and modules 1 & 2
Thank you sir, very helpful 👍
thank you very good video :)
why did you create the outputs & inputs.conf in default?
If you are developing your own app its always good to have your out of the box configs in default folder so that when you update something it will not impact the user changes in local folder (if any).
i have a distrubuted environment with a cluster master for my indexers. can i deploy all my apps to the cluster master from the deployement server?
Hi Leo,
Yes you can deploy apps through deployment server to cluster master, please find below the reference link, I will also cover it soon.
docs.splunk.com/Documentation/Splunk/8.2.3/Indexer/Updatepeerconfigurations#Use_deployment_server_to_distribute_the_apps_to_the_manager_node
Sid
#Question
Sir, do we have to login to each farworder and enable them for pooling deployment server ?
./splunk set deploy-poll
yes, but if you have huge number of forwaders then you need to use tools like ansible to deploy the config.
muy buen video, se agradece el tiempo y la explicacion. saludos
Gracious Eduardo 👍
Hi Bro
I have tried the same config but i m not able to see the deploy clients refelecting in the forwarder management
an you please help on this
Can you please search in internal index if you are receiving any error.
try this command in forward servers "./splunk show deploy-poll"
Outstanding!
Thank you for these videos - very informative and helpful!
Got one question if you don't mind - what is the difference in between the "local" folder and "default" folder when we need to put a .conf file in to an app?😀
I will try to explain with an example,
lets say the app you are building you created a .conf file for the setup. Now intially when you will package the app there will not be any user defined values for the configs in your conf file but when a user will setup the app he/she will give values to those configs according to his/her need,
So in the initial package your conf file should be in default folder and generally user sshould not touch that ,as you are the creator of that app and if you see that is the reason splunk also recommends not to touch the default folder configs.
Now when users will do the setup the change will be saved (if you are the creator of the app you need code it) in the local folder for same conf file and as local folder will get higher precedence over default folder splunk will automatically take the updated configs in local folder.
Hope I didn't confuse you :)
Splunk & Machine Learning thank you so much for your time and the explanation… this is very clear and I understand it now… :)
Really helpful, thank you! :)
I have a requirement where I need to monitor few log files in a folder (say there are 50 files in that folder) and if 1 of the files get removed by th system I need an alert. That alert should also tell me the name of the file which got removed. Can you please help me on it how to set up that monitoring in splunk?
can you check the below post,
community.splunk.com/t5/Getting-Data-In/Data-Input-Monitor-a-directory-for-new-files-and-delete-when/td-p/27894
I'm able to successfully pull the app in UF which contains inputs.conf and outputs.conf however they are either not monitoring data or not sending it, I've checked all the ports which are open and fine, there is nothing in /etc/system/local, inputs and outputs file are written appropriately as well thing is I can't see anything in search head with index=_internal with thus UF as well
Can you see in _internal index where you are receiving any connectivity error from UF? Also if you are using the same GCP setup I used in this video can you check the firewall rule whether you have allowed TCP traffic for those ports?
@@splunk_ml I don't see anything under _internal index and firewalls are open as well, can u provide ur mail id??Apart from this I've got other high level questions as well, may be mailbox is right place to address those
you can email me @techiesid1985@gmail.com
Hi I am trying to move the reporting of some servers from a test deployment server to prod deployment server. So is it possible to push it from the uat deployment server to UF agents to report to prod deployment server ? Have you tried anything like this ?
I never tried this but its possible if there is connectivity between uat and prod but its generally not recommended.
but here i am trying to send a heavy forwader to one indexer and splunk forwarder to another indexer
Hi @Splunk & Machine Learning,
Thanks for the video. It is really very well explained. But i have heard a term about client phone home and phone home interval in deployment server concept. Do you have any idea about those.
client phone home and interval is just term stating whether the deployment clients are polling the deployment server and how frequently they are polling. These settings are present in deploymentclient.conf file.
@@splunk_ml In video when you created deploymentclient.conf there was no attribute for phone home. So do we need to define those settings in deploymentclient.conf or will there be default value there??
perfect
Sid you mentioned in your lecture that Deployment Server cannot be used with Splunk Cluster. Does it mean A) Deployment server cannot be configured on a cluster member or B) Splunk Cluster members cannot be clients of the Deployment server?
Hello Alex,
I meant the below,
A cluster manager node and a deployment server both consume significant system resources while performing their tasks. The manager node needs reliable and continuous access to resources to perform the ongoing management of the cluster, and the deployment server can easily overwhelm those resources while deploying updates to its deployment clients.
For most deployments, the deployment server must run on a dedicated Splunk Enterprise instance that is not serving as an indexer or a search head. The exception is if the deployment server has only a small number of clients, 50 or less. Under those limited circumstances, it is possible for an indexer or search head to double as a deployment server.
Alternatively, you can host any one of these management components on a deployment server, but only if the deployment server has 50 or less clients:
License master
Monitoring console
Search head cluster deployer
Can I ask you some questions on a few topics/areas in splunk? I know you occupied with your todo.
Definitely... Shoot me email with details I will try to help.
Please make a video for syslog-ng with universal or heavy forwarder or HEC.
Even splunk education is not giving this much info
Bro hindi mein bolo na
I am getting the below warning when i try to poll the forwarder to deployment server
Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.