All Splunk instances in a distributed environment including Search Heads, Indexers, Heavy & Universal Forwarders require configuration updates to meet customers’ requirements. For example, if a customer requires to disable The Web Interface of an Indexer, a set of configuration files is required to be deployed to the Indexer that can disable/enable the Web interface.
The Splunk instance that acts as a centralized configuration manager is called a Deployment Server,
the set of configuration files deployed is called a Splunk App, and the instance receiving the configuration updates (indexer in our example) is called a Deployment Client. The whole process of configuring and distributing Apps is called Forwarder Management, which is the subject of our post.
What is Splunk Forwarder Management?
Forwarder Management is Splunk’s Graphical User Interface used on the Deployment Server to configure and distribute Splunk apps to deployment clients. Forwarder Management is used to configure Apps, Server Classes, deployment clients using Graphical interface instead of having to manually edit serverclass.conf configuration file.
Using the Deployment Server, server classes can be configured to include a group of servers, deployment apps can be configured for each class of servers. A deployment client (Search Head, Indexer, or Forwarder) belonging to one or more server classes, keeps polling the Deployment Server periodically checking for any apps that belong to its server class. If the deployment client detects a new or updated app assigned to Its server class, the client will download the app keeping its apps synchronized with those assigned by the Deployment Server.
Benefits of Splunk Forwarder Management
There are two ways to configure Splunk Deployment Server, either manually by editing serverclass.conf, or by using a Graphical User Interface. The Graphical User interface (Forwarder Management) is very much easier to use and has multiple benefits as well. Below are few benefits of using Splunk Forwarder Management.
Benefit #1
Track the status of the whole deployment environment.
The Graphical User Interface shows how many deployment clients, apps and server classes exist in the environment. Status of last time a deployment client called home.
Benefit #2
Monitor Deployment Activity.
The Graphical User Interface provides the status of deploying apps to clients. Find out clients that have successfully completed deployment, versus those that have failed or still in the process of deployment. Find out what apps are deployed to each deployment client, what server class a client belongs to.
Benefit #3
Configure App behavior.
The Graphical User Interface can configure an App to restart Splunk after deployment to activate required changes. You can enable/disable the app as well as needed.
How to Use Splunk Forwarder Management
Forwarder management can be accessed by clicking the Settings link at the top of the Splunk Web, then by selecting Forwarder Management from the Distributed Environment section. Please note you can’t use a Deployment Server to configure and update indexer cluster peer nodes or search head cluster members.
Below is a screen shot showing an example of a Forwarder Management interface. You can see information reported about Apps, Clients, and Server classes in one screen. As can be seen from the example below, you can see how many Apps exists, details about each App can be viewed/modified by selecting the Apps Tab. Same with Server Classes and Clients.
Conclusion
Forwarder Management is Splunk’s Graphical User Interface used on the Deployment Server to configure and distribute Splunk apps to deployment clients. Alternatively, manual configuration can be done by editing serverclass.conf file, which is much more difficult to achieve. Forwarder Management is much easier to use, can track the status of the whole deployment environment, as well as can monitor the overall deployment activity.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
