All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Unix and Linux and Deployment Server

jon_d_irish_ctr
Path Finder
‎07-12-2017 10:51 AM

So I have setup both the Splunk TA for nix and Splunk App for Linux on my Deployment Server. It didn't take me long to discover that any time the DS pushed the app back out, all config settings on the client servers were overwritten with the default settings. I then configured the TA on a client and was able to locate the configuration files on the client and then copied them up to the DS. I then restarted the the deployment server service and the app was pushed out again. This time, the new settings went with it, and all is good! I the configured the Splunk App for Linux on a client and attempted the same thing by copying all the resulting settings files from:
/opt/splunk/etc/apps/splunk_app_for_nix/local

up to the DS and restarted the deployment server service. The app was pushed out again, but only some of the settings were pushed. Specifically, none of the "Category" entries I created on the Settings screen were pushed. Thus, it appears that these settings are not stored at: /opt/splunk/etc/apps/splunk_app_for_nix/local

Does anyone happen to know where these are stored? Even better, is there a Splunk BBP describing "Splunk's" way of deploying pre-configured apps so that "all" settings are maintained?

Thanks!
Jon

0 Karma
Reply

jon_d_irish_ctr
Path Finder
‎07-13-2017 08:46 AM

Thanks for all the suggestions everyone! I just found what I was looking for. I "greped" for a value that I have created when I configured the app, and I found that these values are held in: /opt/splunk/etc/apps/splunk_app_for_nix/lookups/dropdowns.csv. I then copied it over to the DS at: /opt/splunk/etc/deployment-apps/splunk_app_for_nix/lookups and then I restarted the deployment server service with: /opt/splunk/bin/splunk reload deploy-server.

I then went to a Search Head that I have not used before, and all of my settings are there!

0 Karma
Reply

woodcock
Esteemed Legend
‎07-13-2017 07:06 AM

Modify the configurations again on in the GUI, then log into CLI on and do this:

find /opt/splunk/etc -name "*.conf" -mtime -1 -print
0 Karma
Reply

woodcock
Esteemed Legend
‎07-12-2017 06:04 PM

You are probably editing the configuration files in the Apps' default directory. Every file in there should say at the very top something like DO NOT EDIT THIS FILE! Instead copy settings to local. So do that. Download the app fresh again (because now you have modified the files in default and you need to put them back). Then, for the settings that you need to change, create the same configuration file name inside of the local directory (which should be empty accept possibly for a dummy apps.conf file). Push it out fresh from the DS. Then copy ONLY the stanza header of the thing you need to change and the specific KVPs that you need to modify (do not copy the entire stanza). The DS will not mess with files in the local directories of apps.

0 Karma
Reply

jon_d_irish_ctr
Path Finder
‎07-13-2017 05:43 AM

Hello,
I double-checked, and I did not touch anything in the "default" folder. After configuring it on a search head, I copied these files:
alert_overlay.conf
headlines.conf
macros.conf
savedsearches.conf
unix_setup.conf

to the DS under /opt/splunk/etc/deployment-apps/splunk_app_for_nix/local. I then restarted the deployment server and it pushed these out to everything. The only part missing is that the "Categories" and "Groups" I defined under the Settings menu are not being copied. Thus, I am wondering what file contains these settings, so I can copy it up to the DS with the others.

0 Karma
Reply

ddrillic
Ultra Champion
‎07-13-2017 07:44 AM

Under /opt/splunk/etc/deployment-apps/splunk_app_for_nix/default I see the following - 

$ grep -i categ *.conf
props.conf:## Required fields: action,dest,object,object_category,object_path,status,user
props.conf:REPORT-vendor_object_category_for_fs_notification = vendor_object_category_for_fs_notification
props.conf:LOOKUP-object_category_for_fs_notification = endpoint_change_object_category_lookup object as vendor_object_category OUTPUT object_category
transforms.conf:FORMAT = vendor_action::$2 object_category::$3 name::$1 user::$4
transforms.conf:FORMAT = vendor_action::$2 object_category::$3 name::$1 user::$4
transforms.conf:[endpoint_change_object_category_lookup]
transforms.conf:filename = object_category.csv
transforms.conf:[vendor_object_category_for_fs_notification]
transforms.conf:FORMAT = vendor_object_category::$1

And group is mentioned in eventtypes.conf, tags.conf and transforms.conf.

0 Karma
Reply

adonio
Ultra Champion
‎07-13-2017 07:37 AM

why do you push the app for nix to search heads throw the Deployment Server? if these are 3 separate search heads, you are creating a triple load on the indexers...
in general, imho, try and avoid distribution of user facing apps to search heads especially apps that needs configurations like the app for nix.
if you decide to do so anyways, i will reccomend to setup the app (from gui) on your Deployment Server. after its been set up properly, copy the entre app folder from .../etc/apps/ to /etc/deployment-apps/ and only then push to search heads
hope it helps

0 Karma
Reply

adonio
Ultra Champion
‎07-12-2017 05:39 PM

hello there,
did you try and push the splunk_app_for_nix to the forwarders?
can you be a little more specific?
how your splunk environment looks like? how many indexers? how many search heads?
are you using the deployment server to push applications to forwarders or also to indexers and search heads?
kindly let us know so we can better assist

0 Karma
Reply

jon_d_irish_ctr
Path Finder
‎07-13-2017 05:40 AM

Hello,
Our environment consists of three independent search heads, 3 indexers in a cluster, and 1 cluster master. The deployment server resides on the cluster master. Yes, we use the DS to push apps to SH's, Indexers, Forwarders, etc. I was able to get the majority of the app working by installing it on a search head and then copying these files:
alert_overlay.conf
headlines.conf
macros.conf
savedsearches.conf
unix_setup.conf

to the DS under /opt/splunk/etc/deployment-apps/splunk_app_for_nix/local. I then restarted the deployment server and it pushed these out to everything. The only part missing is that the "Categories" and "Groups" I defined under the Settings menu are not being copied. Thus, I am wondering what file contains these settings, so I can copy it up to the DS with the others.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top