- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk App for Unix and Linux and Deployment Serve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for Unix and Linux and Deployment Server
So I have setup both the Splunk TA for nix and Splunk App for Linux on my Deployment Server. It didn't take me long to discover that any time the DS pushed the app back out, all config settings on the client servers were overwritten with the default settings. I then configured the TA on a client and was able to locate the configuration files on the client and then copied them up to the DS. I then restarted the the deployment server service and the app was pushed out again. This time, the new settings went with it, and all is good! I the configured the Splunk App for Linux on a client and attempted the same thing by copying all the resulting settings files from:
/opt/splunk/etc/apps/splunk_app_for_nix/local
up to the DS and restarted the deployment server service. The app was pushed out again, but only some of the settings were pushed. Specifically, none of the "Category" entries I created on the Settings screen were pushed. Thus, it appears that these settings are not stored at: /opt/splunk/etc/apps/splunk_app_for_nix/local
Does anyone happen to know where these are stored? Even better, is there a Splunk BBP describing "Splunk's" way of deploying pre-configured apps so that "all" settings are maintained?
Thanks!
Jon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all the suggestions everyone! I just found what I was looking for. I "greped" for a value that I have created when I configured the app, and I found that these values are held in: /opt/splunk/etc/apps/splunk_app_for_nix/lookups/dropdowns.csv. I then copied it over to the DS at: /opt/splunk/etc/deployment-apps/splunk_app_for_nix/lookups and then I restarted the deployment server service with: /opt/splunk/bin/splunk reload deploy-server.
I then went to a Search Head that I have not used before, and all of my settings are there!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modify the configurations again on in the GUI, then log into CLI on and do this:
find /opt/splunk/etc -name "*.conf" -mtime -1 -print
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably editing the configuration files in the Apps' default directory. Every file in there should say at the very top something like DO NOT EDIT THIS FILE! Instead copy settings to local. So do that. Download the app fresh again (because now you have modified the files in default and you need to put them back). Then, for the settings that you need to change, create the same configuration file name inside of the local directory (which should be empty accept possibly for a dummy apps.conf file). Push it out fresh from the DS. Then copy ONLY the stanza header of the thing you need to change and the specific KVPs that you need to modify (do not copy the entire stanza). The DS will not mess with files in the local directories of apps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I double-checked, and I did not touch anything in the "default" folder. After configuring it on a search head, I copied these files:
alert_overlay.conf
headlines.conf
macros.conf
savedsearches.conf
unix_setup.conf
to the DS under /opt/splunk/etc/deployment-apps/splunk_app_for_nix/local. I then restarted the deployment server and it pushed these out to everything. The only part missing is that the "Categories" and "Groups" I defined under the Settings menu are not being copied. Thus, I am wondering what file contains these settings, so I can copy it up to the DS with the others.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under /opt/splunk/etc/deployment-apps/splunk_app_for_nix/default I see the following -
$ grep -i categ *.conf
props.conf:## Required fields: action,dest,object,object_category,object_path,status,user
props.conf:REPORT-vendor_object_category_for_fs_notification = vendor_object_category_for_fs_notification
props.conf:LOOKUP-object_category_for_fs_notification = endpoint_change_object_category_lookup object as vendor_object_category OUTPUT object_category
transforms.conf:FORMAT = vendor_action::$2 object_category::$3 name::$1 user::$4
transforms.conf:FORMAT = vendor_action::$2 object_category::$3 name::$1 user::$4
transforms.conf:[endpoint_change_object_category_lookup]
transforms.conf:filename = object_category.csv
transforms.conf:[vendor_object_category_for_fs_notification]
transforms.conf:FORMAT = vendor_object_category::$1
And group is mentioned in eventtypes.conf, tags.conf and transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why do you push the app for nix to search heads throw the Deployment Server? if these are 3 separate search heads, you are creating a triple load on the indexers...
in general, imho, try and avoid distribution of user facing apps to search heads especially apps that needs configurations like the app for nix.
if you decide to do so anyways, i will reccomend to setup the app (from gui) on your Deployment Server. after its been set up properly, copy the entre app folder from .../etc/apps/ to /etc/deployment-apps/ and only then push to search heads
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
did you try and push the splunk_app_for_nix to the forwarders?
can you be a little more specific?
how your splunk environment looks like? how many indexers? how many search heads?
are you using the deployment server to push applications to forwarders or also to indexers and search heads?
kindly let us know so we can better assist
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Our environment consists of three independent search heads, 3 indexers in a cluster, and 1 cluster master. The deployment server resides on the cluster master. Yes, we use the DS to push apps to SH's, Indexers, Forwarders, etc. I was able to get the majority of the app working by installing it on a search head and then copying these files:
alert_overlay.conf
headlines.conf
macros.conf
savedsearches.conf
unix_setup.conf
to the DS under /opt/splunk/etc/deployment-apps/splunk_app_for_nix/local. I then restarted the deployment server and it pushed these out to everything. The only part missing is that the "Categories" and "Groups" I defined under the Settings menu are not being copied. Thus, I am wondering what file contains these settings, so I can copy it up to the DS with the others.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
