All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Forwarder Management not pushing out configuration changes?

andrei1bc
Communicator
‎02-28-2017 06:48 AM

Hi

I am using the Forwarder Management to push out configs in the form of apps to the many forwarders in our infrastructure, but the new config is not applied.

My use case :
1. add-on added in the deployment-apps folder
2. add-on pushed to forwarders in my server_class -> no errors returned
3. created new app to enable a URL monitor using the above pushed add-on
4. pushed the new URL_monitor app containing the configs to the forwarders, including a splunkd restart flag -> no errors returned
5. no events are indexed and no errors are returned although the add-on and the app is present under each forwarders app folder

Using a curl on the endpoint monitor returns the status.

Add-on name : REST API Modular Input -> https://splunkbase.splunk.com/app/1546/

URL_Monitoring app contents under local directory:

inputs.conf :

[rest://test]
source = test
auth_type = none
endpoint = http://localhost:8888/test/monitoring
http_method = GET
index = main
index_error_response_codes = 0
polling_interval = 60
request_timeout = 50
response_type = xml
sequential_mode = 0
sourcetype = url
streaming_request = 0

props.conf

[url]
category = Custom
pulldown_type = 1
disabled = false
TRANSFORMS-url = url_transformation

transforms.conf

[url_transformation]
REGEX = ^.\w+..\w+.(?<url_status>\w+).+
FORMAT = url_status::$1
WRITE_META = true

Can i please get some direction on what I am doing wrong?

Thank you in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andrei1bc
Communicator
‎02-28-2017 07:55 AM

Well. Found the fix :

As the rest app was renamed inside the repository, the rest.py script must also be modified to reflect the new name .

  1. cd /splunk/etc/deployment-apps/test_rest/bin
  2. sed -i 's/rest_ta/test_rest/g' rest.py

Redeployed the addon and everything works.

View solution in original post

Reply
Solved! Jump to solution
Solution

andrei1bc
Communicator
‎02-28-2017 07:55 AM

Well. Found the fix :

As the rest app was renamed inside the repository, the rest.py script must also be modified to reflect the new name .

  1. cd /splunk/etc/deployment-apps/test_rest/bin
  2. sed -i 's/rest_ta/test_rest/g' rest.py

Redeployed the addon and everything works.

Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎02-28-2017 08:08 AM

ah yeah, that would make sense

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎02-28-2017 06:56 AM

Have you tested this configuration on a single instance to make sure it works as expected?

Do you see the app being loaded onto one of the new instances?

0 Karma
Reply
Solved! Jump to solution

andrei1bc
Communicator
‎02-28-2017 07:10 AM

Forgot to mention that I am using heavy forwarders.

Using the same inputs/props/transforms and the addon on a single instance works, but in my test the files were sitting under the search app and not a new individual app.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...