One of the Splunk 10 features I’m most excited about is the “Effective Configuration” dashboard.  In this blog post, I’ll explore why this might be my favorite new Splunk 10 feature so far!

The Need

You likely have a number (potentially, a very large number) of Universal Forwarders in your Splunk environment.  You’re likely managing these through Splunk’s Deployment Server, since that allows you to remotely apply configurations to all of your UFs without having to touch each of them manually.  This all works great when things are working normally, but what happens when there’s a problem that needs investigation? 

Right now, troubleshooting a UF requires me to get in touch with our customer, who often needs to get in touch with an administrator, who then can generate a Splunk diag and send it to me for review. This takes time and slows down troubleshooting.  Fortunately, Effective Configuration makes this way easier.

Effective Configuration Dashboard

Splunk 10 renames the Deployment Server screen in the UI from Forwarder Management to Agent Management. At a first glance, the interface looks pretty similar that what you’ve seen before, but there are some new features once you start digging in. 

Agent management landing page

When you click on an agent, you can see details about each system’s operating system, IP and DNS name, and associated server classes. But that’s all stuff you could see in Splunk 9.4.  

What’s new is the Effective Configuration tab.  When you click on this, you’ll be able to see some of the configurations on your Universal Forwarder directly from the Agent Management UI in the Deployment Server! This means without getting a diag, you can now check to see what inputs are configured on the UF, what outputs are set to forward that data onto the rest of your Splunk infrastructure, and some server.conf and deploymentclient.conf configurations. 

As a Splunk admin, this feature is a game changer, and is going to save a ton of time when troubleshooting issues with UFs.  It should also greatly reduce the need to request a diag for troubleshooting purposes, at least for more straightforward issues with data inputs. 

How do I set this up?

There are just a few steps that need to be taken to get the Effective Configuration dashboard to populate on your Deployment Server.  These are covered in detail in Splunk Docs.

• Upgrade your Deployment Server to Splunk Enterprise 10.0.0 or later.  You can do this before upgrading the rest of your infrastructure if you have concerns about upgrading if your Deployment Server is a dedicated Splunk instance. 
• Deploy the Splunk Add-on for Effective Configuration to your Universal Forwarders.

And that’s it! Within a few minutes of deployment, you should start to be able to see configuration information on the Effective Configuration tab of your Deployment Server. 

What’s even better, is that your UFs don’t have to be running version 10 in order for this to work. I’ve tested it on a UF running Splunk 9.3, and another member of the Splunk Community had it working on 9.0.4 in their lab environment.  

Wrap Up

I’m excited to see these types of new features in Splunk that make the job of administering the product easier. I’m looking forward to getting this rolled out to our managed Splunk clients and empowering our support team to better support them while being more efficient in the process.