Alright, I've been researching this for the last few hours and I'm at loss. Here's what I'm having issues with.
I have three indexers that are also working as deployment servers, along with a dedicated search head. Each indexer has identical data in the $SPLUNK_HOME/etc/deployment-apps and $SPLUNK_HOME/etc/system/local directories. The problem I'm having is that the deployment clients are not picking up the 'apps' in $SPLUNK_HOME/etc/deployment-apps. (More specifically the ones I've created that will distribute the outputs.conf and the inputs.conf. (based on windows vs linux))
Here are the three apps I've created:
$SPLUNK_HOME/etc/deployment-apps/fwd_to_idx
which contains a local directory and the outputs.conf file
[tcpout]
defaultGroup=idx_group
autoLBFrequency=40
[tcpout:idx_group]
server=indexer1:9997,indexer2:9997,indexer3:9997
The other two apps are: $SPLUNK_HOME/etc/deployment-apps/WinEvt-sec1/local/inputs.conf
and
$SPLUNK_HOME/etc/deployment-apps/LinuxEvt-standard/local/inputs.conf
the serverclass.conf file is as follows:
[global]
blacklist.0=*
repositoryLocation = /opt/splunk/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp
[serverClass:DeployConfig]
machineTypes=windows-intel, windows-x64, windows-*, linux-i686, linux-x86_64, linux-*
[serverClass:DeployConfig:app:fwd_to_idx]
stateOnClient=enabled
restartSplunkd=true
# Class specifications for ALL Windows servers.
[serverClass:WindowsMachines]
machineTypes=windows-intel, windows-x64, windows-*
# Forwarding (inputs.conf)
[serverClass:WindowsMachines:app:WinEvt-sec1]
stateOnClient=enabled
restartSplunkd=true
# Class specification for ALL Linux servers.
[serverClass:LinuxOS]
machineTypes=linux-i686, linux-x86_64, linux-*
# Forwarding (inputs.conf)
[serverClass:LinuxOS:app:LinuxEvt-standard]
stateOnClient=enabled
restartSplunkd=true
I'm testing on one linux server now until I can get the deployment working correctly, here is the deploymentclients.conf file:
[deployment-client]
disabled = false
[target-broker:deploymentServer]
targetUri = mycompanyindexers:8089
I've configured round robin DNS to house all three indexers information so I can use mycompanyindexers in the deploymentclients.conf file and at any given time any forwarder would be able to pull its config from any one of the three indexers.
Anyone have any thoughts as to why the clients aren't getting the directories in the deployment-apps directory? If you need more info please let me know
Sorry for the length btw.
... View more