Advanced Forwarder Updating

Multiple forwarders or manual deployment

The TA_​cisco_​cdr, as found on Splunkbase, is just a Splunk app like any other. If you already know how to deploy an app in your environment and onto the system that needs this app, then use that method. (Puppet, Splunk’s Deployment Server, manual checklist, etc.). There are only really two notes:

• Do not overwrite your inputs.conf!
  • Our installation instructions have you edit a TA_cisco_cdr/local/inputs.conf file. If you did this, your input file is fine and will not be overwritten. If you edited the TA_cisco_cdr/default/inputs.conf file instead, you should first migrate those settings to the local version of the file. 
• Because it’s doing CSV extractions, all our props and transforms also need to go on the forwarder and be properly referenced too. 

Because of those two things, we heartily recommend deploying our TA with your deployment methodology (after editing the local inputs.conf file) instead of trying to rebuild it from scratch. We promise there’s nothing extra in there, just the stanzas we need to get the job done right.

Heavy Forwarders

A Heavy Forwarder (HF) has not been our recommendation for many years now. A UF will be faster, far lighter on the system and generally works better. 

But sometimes you ​“had one laying around” so are using a HF instead of a UF.

If this is the case, one possibility would be to install/​update the TA by using the ​“Manage Apps” method we outline in our page on updating the app as a whole only substitute ​“TA for Cisco CDR Reporting and Analytics” everywhere you see ​“Cisco CDR Reporting and Analytics”. 

If this process fails, if the web interface for Splunk is disabled, or if you just want to stay consistent, you could also treat it exactly like you are updating a Universal Forwarder.