I just setup my first Splunk Deployment server. I'm trying to get used to how it works, and how to manage it. In an attempt to K.I.S.S. I decided that my first app that I would deploy and manage would be the the "Windows Universal Forwarder" AKA "Splunk_TA_Windows".
After deploying the app from my deployment server to my clients, I attempted to modify the inputs.conf on the deployment server with the expectation that the change would propagate down to all the clients. Unfortunately that did not happen. After successfully deploying the app to the six clients in my "Test" server class, the updated inputs.conf did not propagate down to the six clients.
After editing the `.\etc\Splunk_TA_Windows\local\inputs.conf` I believe I reloaded the deployment server properly with the following command: `.\bin\splunk reload deploy-server`.
Now my clients are all showing the same entries in the `splunkd.log`
- Successful App deployment:
10-21-2015 12:34:29.626 -0500 INFO DeployedApplication - Installing app=Splunk_TA_windows to='D:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows'
- Failed App update:
10-21-2015 12:41:51.332 -0500 INFO DeployedApplication - Checksum mismatch 0 <> 1316440081260235894 for app=Splunk_TA_windows. Will reload from='zp70019.mcip.usmc.mil:8090/services/streams/deployment?name=default:Test%203:Splunk_TA_windows'
10-21-2015 12:41:51.752 -0500 INFO DeployedApplication - Downloaded url=zp70019.mcip.usmc.mil:8090/services/streams/deployment?name=default:Test%203:Splunk_TA_windows to file='D:\Program Files\SplunkUniversalForwarder\var\run\Test 3\Splunk_TA_windows-1445449223.bundle' sizeKB=3500
10-21-2015 12:41:52.591 -0500 WARN DeployedApplication - app=Splunk_TA_windows, installed_via="search head cluster deployer, UI, CLI, or REST API", checksum=0a01c29a8ea0ff2831f002c02fe365f9210ad2d7
10-21-2015 12:41:52.591 -0500 WARN DeployedApplication - app=Splunk_TA_windows was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app=Splunk_TA_windows via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server
10-21-2015 12:41:52.591 -0500 ERROR DeployedServerclass - name=Test 3 Failed to install app=Splunk_TA_windows
To troubleshoot this I've:
- Restarted the SplunkUniversalForwarder service on the affected client. No change.
- Restarted the Deployment server. Its a Windows VM, so that should have been trouble shooting step number 1. No change.
- Manually removed the app folder from the client, and then restarted the SplunkUniversalForwarder service. After doing this the App will deploy successfully, but the problem reoccurs if I try to edit the input.conf file
What am I missing?
What did I do wrong when I setup my deployment server?
Thanks for the help!
Ken
↧