Im using powershell to install universal forwarders on the new machines that im spinning up using the following command:
cmd /c "msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER='simdc01:9997' MONITOR_PATH='c:\logs' PERFMON=cpu,memory,network,diskspace /quiet"
But this does not create an outputs.conf file containing the tcp settings so im doing this in powershell to manually create the file needed
$outputsConfString = @"
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = simdc01:9997
"@
New-Item "C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf" -type file -force -value $outputsConfString
My question is, is there a way to do this via the CLI or am i stuck with this hack?
It feels wrong to have to hack files in this way when there is tooling provided to automate things.
This should do the trick.
./splunk add forward-server <indexer>:port -auth admin:password
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/CLIadmincommands
If you have a lot of forwarders best to push configs with a deployment server. This approach let's you keep all your configs in one place. I even use the DS to manage multiple indexers.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Aboutdeploymentserver
This should do the trick.
./splunk add forward-server <indexer>:port -auth admin:password
http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/CLIadmincommands
Spot on, thanks
Ok tried it myself with the file splunkforwarder-6.2.1-245427-x64-release.msi
and the following command:
msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi RECEIVING_INDEXER="foo:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 AGREETOLICENSE=Yes /quiet
this adds in $SPLUNK_HOME/etc/system/local/outputs.conf
this entry:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = foo:9997
[tcpout-server://foo:9997]
Maybe you need to download a fresh copy of the msi or you found a bug 😉
you should be able just to provide the RECEIVING_INDEXER
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/RemotelydeployaWindowsdfwithastaticconf... during initial install as well ... but it is not honored in this case....
as you can see from my example command line in the question RECEIVING_INDEXER is there, but it does not work... none of the outputs.conf files are modified with that switch. which is what has lead me to ask this question.