Gracious Eduardo 👍

yes it will be same.

@@splunk_mlso why use the default folder when you know it’s good practice to place the configs in the local folder? I was confused by this choice as well lol

I will try to explain with an example, lets say the app you are building you created a .conf file for the setup. Now intially when you will package the app there will not be any user defined values for the configs in your conf file but when a user will setup the app he/she will give values to those configs according to his/her need, So in the initial package your conf file should be in default folder and generally user sshould not touch that ,as you are the creator of that app and if you see that is the reason splunk also recommends not to touch the default folder configs. Now when users will do the setup the change will be saved (if you are the creator of the app you need code it) in the local folder for same conf file and as local folder will get higher precedence over default folder splunk will automatically take the updated configs in local folder. Hope I didn't confuse you :)

Splunk & Machine Learning thank you so much for your time and the explanation… this is very clear and I understand it now… :)

client phone home and interval is just term stating whether the deployment clients are polling the deployment server and how frequently they are polling. These settings are present in deploymentclient.conf file.

@@splunk_ml In video when you created deploymentclient.conf there was no attribute for phone home. So do we need to define those settings in deploymentclient.conf or will there be default value there??

you just needs to install forwaders there and send the logs to splunk. Check this post, answers.splunk.com/answers/34896/simple-installation-script-for-universal-forwarder.html

yes, but if you have huge number of forwaders then you need to use tools like ansible to deploy the config.

Hello Alex, I meant the below, A cluster manager node and a deployment server both consume significant system resources while performing their tasks. The manager node needs reliable and continuous access to resources to perform the ongoing management of the cluster, and the deployment server can easily overwhelm those resources while deploying updates to its deployment clients. For most deployments, the deployment server must run on a dedicated Splunk Enterprise instance that is not serving as an indexer or a search head. The exception is if the deployment server has only a small number of clients, 50 or less. Under those limited circumstances, it is possible for an indexer or search head to double as a deployment server. Alternatively, you can host any one of these management components on a deployment server, but only if the deployment server has 50 or less clients: License master Monitoring console Search head cluster deployer

Very tricky question, I can think about couple of solutions here, 1. First of all our deploymentclient.conf resides in etc/system/local folder. Now I can create an app with just deploymentclient.conf and deploy it thru deployment server to all UF. in that case we need to delete the system /local deploymentclient.conf file from each UF, which is again not fully automated. 2. We can create a python script which will update the deploymentclient.conf in system/local and we can deploy that python script as scripted input in all UF through deployment server. Only thing we have to handle here is the splunk restart part in python script. Then it will become fully automated. I will try to create a video for this.

@@splunk_ml Yes, we can create an app in deployment-apps and call that app in serverclass will go to all UF. Do you think it will override the configs in UF (system/local/deploymentclient.conf) when we push this app to all UF.? Thanks for taking the time to reply. #respect

It won't override because deployment server will deploy the app in etc/apps folder. That's why we need to delete the deploymentclient.conf in system/local folder so that our etc/apps version will take precedence.

@@splunk_ml Got it, sir..! Thanks

When consuming a global configuration, such as inputs.conf, Splunk software first uses the attributes from any copy of the file in system/local. Then it looks for any copies of the file located in the app directories, adding any attributes found in them, but ignoring attributes already discovered in system/local. I just read this in splunk docs, that means no need to empty local file if apps directory has the file it might have precedence

I never tried this but its possible if there is connectivity between uat and prod but its generally not recommended.

Hi Leo, Yes you can deploy apps through deployment server to cluster master, please find below the reference link, I will also cover it soon. docs.splunk.com/Documentation/Splunk/8.2.3/Indexer/Updatepeerconfigurations#Use_deployment_server_to_distribute_the_apps_to_the_manager_node Sid

can you check the below post, community.splunk.com/t5/Getting-Data-In/Data-Input-Monitor-a-directory-for-new-files-and-delete-when/td-p/27894

Can you please search in internal index if you are receiving any error.

try this command in forward servers "./splunk show deploy-poll"

Can you see in _internal index where you are receiving any connectivity error from UF? Also if you are using the same GCP setup I used in this video can you check the firewall rule whether you have allowed TCP traffic for those ports?

@@splunk_ml I don't see anything under _internal index and firewalls are open as well, can u provide ur mail id??Apart from this I've got other high level questions as well, may be mailbox is right place to address those

you can email me @techiesid1985@gmail.com

If you are developing your own app its always good to have your out of the box configs in default folder so that when you update something it will not impact the user changes in local folder (if any).

Definitely... Shoot me email with details I will try to help.