Example: Add inputs to forwarders
The previous topic, Extended example: Deploy configurations to several forwarders, described setting up a deployment environment to manage a set of universal forwarders. It showed how to configure a new agent management to deploy content to a new set of agents. The current example follows on directly from there, using the configurations created in that topic. It shows how to update a forwarder configuration file and deploy the updated file to a subset of forwarders, defined by a server class.
Overview of the update process
This example starts with the set of configurations and Splunk Enterprise instances created in the topic Extended example: Deploy configurations to several forwarders. The Linux universal forwarders now need to start monitoring data from a second source. To accomplish this, perform these steps on the agent management:
- Edit the
inputs.conffile for the Linux server class to add the new source, overwriting the previous version in its apps directory. - Reload the agent management, so that it becomes aware of the change and can deploy it to the appropriate set of clients (forwarders).
You make changes only on the agent management. When the agents in the Linux server class next poll the server, they'll be notified of the changed inputs.conf file. They'll download the file, enable it, restart splunkd, and immediately begin monitoring the second data source.
Detailed configuration steps
On the agent management:
- Edit
$SPLUNK_HOME/etc/deployment-apps/linmess/default/inputs.confto add new inputs:[monitor:///var/log/messages] disabled=false sourcetype=syslog [monitor:///var/log/httpd] disabled=false sourcetype = access_common - Reload the agent management:
splunk reload deploy-server
Once this command has been run, the agent management notifies the clients that are members of the Fflanda-LINUX server class of the changed file. They'll download the file, enable it, restart splunkd, and immediately begin monitoring the second data source.