Configure agents
You can set up agents to receive content from agent management. In most cases, you just need to specify the agent management server that you want the agent to connect to.
Even though this step is performed on the agents, not agent management itself, it is an essential part of the overall configuration of the agent management system.
The agent management server cannot be an agent of itself. If it is, the following error will appear in splunkd.log: "This DC shares a Splunk instance with its DS: unsupported configuration". This has the potential to lead to situations where the agents lose their ability to contact agent management.
Specify the agent management server
On each agent, you must specify the agent management server it will connect to. You do this by configuring the deploymentclient.conf file of the agent. Each agent must have a unique network hostname.
There are three ways to configure this file:
- Use the CLI. See Use the CLI, later in this topic.
- Edit the file directly. See Edit deploymentclient.conf, later in this topic.
- For Windows universal forwarders only: Configure a Windows forwarder as an agent during the installation process. See the following topics in the Universal Forwarder manual:
deploymentclient.conf updates to the deployment clients. Doing so is supported and common, but a misconfiguration or serious deployment server issue can lead to situations where the deployment clients lose the intended deploymentclient.conf and consequently their ability to contact the deployment server. Use the CLI
On the agent, run the following CLI commands:
splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart
Use the IP_address/hostname and management_port of agent management you want the agent to connect with.
For example:
splunk set deploy-poll deploymentserver.splunk.mycompany.com:8089
splunk restart
Edit deploymentclient.conf
You can also directly create and edit a deploymentclient.conf file in $SPLUNK_HOME/etc/system/local.
Syntax
The deploymentclient.conf file requires two stanzas:
| Stanza | What it's for |
|---|---|
[deployment-client] | Configures a number of attributes, including where to find new or updated content. You do not usually need to change the default values for this stanza. |
[target-broker:deploymentServer] | Specifies the location of agent management for this agent. deploymentServer is the default name for agent management. You must specify agent management under this stanza. |
This file has a large number of optional attributes, but for most deployments, you only need to set the targetUri attribute under the [target-broker:deploymentServer] stanza. This attribute specifies the agent management of an agent. Here's the attribute syntax:
| Attribute | What it's for | Default |
|---|---|---|
targetUri | Specifies the agent management connection information. Set to | n/a |
For a complete list of deploymentclient.conf attributes, see the deploymentclient.conf specification file in the Admin manual.
Example
Here is a typical agent configuration:
[deployment-client]
[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089
As is usually the case, this example accepts the default values for nearly all attributes. The one attribute that you must set, the location of the agent management, has the value of deploymentserver.splunk.mycompany.com:8089.
Use the REST API to reload and restart
You can use the REST API to reload and restart after configuring an agent. For more information, see deployment/client/{name}/reload in the REST API Reference Manual.
Set an agent name
You can assign a name to each agent. Agent management can filter on agent names, as described in "Set up client filters".
By default, the client name is set to the agent GUID. If you plan to use the client name in filtering, you can explicitly set it to some reasonable and readable name.
Agent names must be unique.
To configure an agent name, set the clientName attribute in deploymentclient.conf to the chosen name. For example:
[deployment-client]
...
clientName = Fflanda-LINUX1
Restart the agent for the configuration change to take effect.
Get agent information
You can find information about the agent from two locations:
- On the agent itself
- In agent management
View the agent status from Splunk Enterprise
You can view the status of an agent from Splunk Enterprise.
-
Log in to Splunk Enterprise.
-
Select Settings at the top of the page.
-
In the System section, select Server settings.
-
Choose Deployment client. This takes you to a read-only screen that provides some information about the agent:
- its agent management
- its server classes and apps
- its status
Note: With version 10.0, the "deployment client" has been renamed into "agent". However, the name "deployment client" remains present in some parts of Splunk Enterprise.
View the agent from agent management
Once you configure and restart the agent, it will initiate a handshake process with the specified agent management. Agent management adds it to its list of agents under the Forwarders tab. For more information about the interface, see Agent management UI overview. For example:
From the Forwarders tab, you can also manipulate the list of columns in the array to display different information about your forwarders. To do so, select the gear icon () in the last column of the array.
Disable an agent
To disable an agent, run this CLI command on the agent:
splunk disable deploy-client
Upgrade an agent
You upgrade an agent in the usual way, according to whether the agent is a universal forwarder or a full Splunk Enterprise instance. The fact that an instance is an agent does not make any difference in how you perform the upgrade.
However, after you upgrade the agent, the agent will appear twice in the agent list that agent management maintains and presents through the agent management interface. To eliminate the duplicate listing, you must restart agent management after an agent upgrade.